DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to Application 17/370,863 filed on 7/8/2021.
Claims 1-20 have been examined and are pending in this application.
The examiner notes the IDSs filed on 7/14/2021, 3/31/2022, and 8/3/2022 has been considered. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

Claims 1, 2 and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over Claims 1 of U.S. Patent No. 11,089,056.  Although the claims at issue are not identical, they are not patentably distinct from each other because:

The examiner notes that Claim 1 of U.S. patent No. 11,089,056 recites substantially similar subject matter, more specifically: 
A computer program product comprising computer executable code embodied in a non-transitory computer-readable medium that, when executing on one or more computing devices, performs the steps of: creating key material for cryptographic handling of a file at a key management system for an enterprise network, the key material including a key pair having a private encryption key and a public decryption key; providing a honeypot file containing non-confidential information for the enterprise network and an access control list for the honeypot file modified to attract unauthorized, malicious users of the enterprise network by including an open access user in the access control list; cryptographically securing the honeypot file by encrypting the honeypot file with the private encryption key to provide a tagged file; storing the tagged file on a data store in the enterprise network; storing the public decryption key in a central keystore for the enterprise network; detecting a retrieval of the public decryption key from the central keystore, the retrieval associated with an authentication of the tagged file by a device; and initiating a remedial action responsive to detecting the retrieval associated with the authentication of the tagged file by the device, the remedial action including monitoring subsequent network activity within the enterprise network by the device.
The examiner notes that the features emphasized above are obvious variants to that claimed in the limitations of Claims 1, 2 and 20 of the Instant Application.

Claims 3-19 depend from respective independent Claims 2 thus, would respectfully inherit the Double Patenting rejection.








Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 20 is rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Regarding claim 20; the claim calls for a system; however, there is no hardware element found within the claimed system. As recited in the body of the claim, the claimed system contains “data store”, “central keystore” and “threat management facility”.  One of ordinary skill in the art would understand that ‘data store’, ‘central keystore’ and ‘threat management facility' could be implemented in software and a ‘processor’ could be a software processor (See “The Authoritative Dictionary of IEEE Standards Terms,” Seventh Edition, published in 2000). As the body of the claim does not positively recite any hardware embodiment, the claim is directed to non-statutory subject matter.  The nominal recitation of the machine/device in the preamble with an absence of a hardware element in the body of the claim fails to make the claim statutory under 35 USC 101.  See Am. Med. Sys., Inc v. Biolitec, Inc., 618 F.3d 1354, 1358 (Fed. Cir. 2010).  See also Ex parte Cohen et al., (Appeal No. 2009-011366) for details.  The Examiner respectfully suggests that the claim be further amended to positively recites at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101.  



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 1-9, 11-15 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharifi Mehr (US 10,521,184 A1) in view of Shulman (US 2016/0301712 A1).





Regarding Claim 1;
Sharifi Mehr discloses a computer program product comprising computer executable code embodied in a non- transitory computer-readable medium that, when executing on one or more computing devices, performs the steps of: 
providing a honeypot file in a file system accessible to devices in an enterprise network (col. 2, lines 65-col. 3, lines 3 - For example, the threat analysis service may deploy decoy files within a customer file system, decoy data within a customer database, decoy cookies with the customer browser or decoy cryptographic keys within a cryptographic key server used by the customer); 
...
storing key material in a central keystore for the enterprise network, the key material for decrypting the tagged file (col. 6, lines 43-61 –  The decoy cryptographic key 220 is a cryptographic key that is accessible via the decoy virtual server 214. In some implementations, the decoy cryptographic key 220 is stored in memory on the decoy virtual server 214. In other implementations, the decoy cryptographic key 220 is stored on a cryptoprocessor used by the decoy virtual server 214. If an attacker uses the decoy cryptographic key 220 to generate a digital signature, encrypt data, or decrypt data, the threat analysis service detects the use of the decoy cryptographic key 220 by verifying the digital signature, decrypting the encrypted data, or detecting the successful decryption of data encrypted with the decoy cryptographic key 220. In some implementations, the threat analysis service examines stored data accessible to the customer virtual network 202 and identifies digital signatures or encrypted data that use the decoy cryptographic key 220. If use of the decoy cryptographic key 220 is discovered, the threat analysis service records diagnostic information that is usable to detect the intrusion);
detecting a retrieval of the portion of the key material from the central keystore...  (col. 6, lines 43-61 –  In some implementations, the threat analysis service examines stored data accessible to the customer virtual network 202 and identifies digital signatures or encrypted data that use the decoy cryptographic key 220. If use of the decoy cryptographic key 220 is discovered, the threat analysis service records diagnostic information that is usable to detect the intrusion); 
[detect intrusion] (col. 6, lines 43-61 –  In some implementations, the threat analysis service examines stored data accessible to the customer virtual network 202 and identifies digital signatures or encrypted data that use the decoy cryptographic key 220. If use of the decoy cryptographic key 220 is discovered, the threat analysis service records diagnostic information that is usable to detect the intrusion).
Sharifi Mehr fails to explicitly disclose 
cryptographically securing the honeypot file by encrypting the honeypot file to provide a tagged file; 
detecting a retrieval ... the retrieval associated with an attempted access of the tagged file by one of the devices; and 
initiating a remedial action responsive to detecting the retrieval of the key material, the remedial action including monitoring subsequent network activity within the enterprise network by the one of the devices.
However, in an analogous art, Shulman teaches a method comprising:
[providing a honeypot file] (Shulman, [0063] - At circle `1C`, after receipt of the RHT script 150A, the client end station 120A executes the RHT script 150A, which logically performs the following flow: first, at block 210, the client end station 120A generates an encryption key using the seed value 202 according to well-known encryption algorithms in common use... At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216);
cryptographically securing the honeypot file by encrypting the honeypot file to provide a tagged file (Shulman, [0063] - Using the ... encryption key, at block 212 the client end station 120A encrypts the IP address assigned to that client end station 120A (or some other value that distinguishes that client end station 120A from the others), and converts the resulting binary value to a Base64 representation. At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216);
detecting a retrieval ... the retrieval associated with an attempted access of the tagged file by one of the devices (Shulman, [0066]-[0068] - At circle `4`, the intruder 124, again via the client end station 125, transmits a set of one or more packets 132 including a request designed to access enterprise data of one of the servers (112, 114, 116) of the server end stations 110. This request carried by the set of packets 132 includes the reverse honey token 130A... If a candidate value does match the prefix value 204, the flow continues with block 224 and the RHT detection module may also optionally immediately generate an alert 140, which in some embodiments includes transmitting 230 a notification message to another enterprise user such as an administrator);
initiating a remedial action responsive to detecting the retrieval of the key material, the remedial action including monitoring subsequent network activity within the enterprise network by the one of the devices (Shulman, [0028] - Upon this detection, network traffic from the client attempting to utilize the reverse honey token can be monitored, regulated, and/or blocked from reaching the targeted server, the client end station determined to be compromised can be taken offline or repaired, and/or the client end station(s) responsible for transmitting the traffic having the reverse honey token can be sought, analyzed, and/or blocked from further network access and [0068] - RHT detection module may also optionally immediately generate an alert 140, which in some embodiments includes transmitting 230 a notification message to another enterprise user such as an administrator).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Shulman to the honeypot file/key material of Sharifi Mehr to include cryptographically securing the honeypot file by encrypting the honeypot file to provide a tagged file; detecting a retrieval ... the retrieval associated with an attempted access of the tagged file by one of the devices; and initiating a remedial action responsive to detecting the retrieval of the key material, the remedial action including monitoring subsequent network activity within the enterprise network by the one of the devices.
One would have been motivated to combine the teachings of Shulman to Sharifi Mehr to do so as it provide users with a means for detection of comprised insiders (Shulman, [0002]).



Claim 2
Sharifi Mehr discloses a method, comprising: 
providing a honeypot file in a file system accessible to a device (col. 2, lines 65-col. 3, lines 3 - For example, the threat analysis service may deploy decoy files within a customer file system, decoy data within a customer database, decoy cookies with the customer browser or decoy cryptographic keys within a cryptographic key server used by the customer);
...
storing a portion of key material in a central keystore for the enterprise network, the key material used in decrypting the tagged file (col. 6, lines 43-61 –  The decoy cryptographic key 220 is a cryptographic key that is accessible via the decoy virtual server 214. In some implementations, the decoy cryptographic key 220 is stored in memory on the decoy virtual server 214. In other implementations, the decoy cryptographic key 220 is stored on a cryptoprocessor used by the decoy virtual server 214. If an attacker uses the decoy cryptographic key 220 to generate a digital signature, encrypt data, or decrypt data, the threat analysis service detects the use of the decoy cryptographic key 220 by verifying the digital signature, decrypting the encrypted data, or detecting the successful decryption of data encrypted with the decoy cryptographic key 220. In some implementations, the threat analysis service examines stored data accessible to the customer virtual network 202 and identifies digital signatures or encrypted data that use the decoy cryptographic key 220. If use of the decoy cryptographic key 220 is discovered, the threat analysis service records diagnostic information that is usable to detect the intrusion);
detecting a retrieval of the portion of the key material from the central keystore...  (col. 6, lines 43-61 –  In some implementations, the threat analysis service examines stored data accessible to the customer virtual network 202 and identifies digital signatures or encrypted data that use the decoy cryptographic key 220. If use of the decoy cryptographic key 220 is discovered, the threat analysis service records diagnostic information that is usable to detect the intrusion); and
[detect intrusion] ... responsive to the retrieval of the portion of the key material used in decrypting the tagged file (col. 6, lines 43-61 –  The decoy cryptographic key 220 is a cryptographic key that is accessible via the decoy virtual server 214. In some implementations, the decoy cryptographic key 220 is stored in memory on the decoy virtual server 214. In other implementations, the decoy cryptographic key 220 is stored on a cryptoprocessor used by the decoy virtual server 214. If an attacker uses the decoy cryptographic key 220 to generate a digital signature, encrypt data, or decrypt data, the threat analysis service detects the use of the decoy cryptographic key 220 by verifying the digital signature, decrypting the encrypted data, or detecting the successful decryption of data encrypted with the decoy cryptographic key 220. In some implementations, the threat analysis service examines stored data accessible to the customer virtual network 202 and identifies digital signatures or encrypted data that use the decoy cryptographic key 220. If use of the decoy cryptographic key 220 is discovered, the threat analysis service records diagnostic information that is usable to detect the intrusion)).
Sharifi Mehr fails to explicitly disclose:
cryptographically securing the honeypot file to provide a tagged file; 
storing the tagged file on a data store in an enterprise network; and
initiating a security action responsive to the retrieval....
However, in an analogous art, Shulman teaches a method comprising:
[providing a honeypot file] (Shulman, [0063] - At circle `1C`, after receipt of the RHT script 150A, the client end station 120A executes the RHT script 150A, which logically performs the following flow: first, at block 210, the client end station 120A generates an encryption key using the seed value 202 according to well-known encryption algorithms in common use... At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216);
cryptographically securing the honeypot file to provide a tagged file ((Shulman, [0063] - Using the ... encryption key, at block 212 the client end station 120A encrypts the IP address assigned to that client end station 120A (or some other value that distinguishes that client end station 120A from the others), and converts the resulting binary value to a Base64 representation. At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216);
storing the tagged file on a data store in an enterprise network (Shulman, [0063]-[0064] - At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216. At circle `2` the intruder 124, via the client end station 125, connects to the client end station 120A and discovers, at circle `3`, the existence of the reverse honey token 130A within the configuration repository 128);
initiating a security action responsive to the retrieval ... (Shulman, [0028] - Upon this detection, network traffic from the client attempting to utilize the reverse honey token can be monitored, regulated, and/or blocked from reaching the targeted server, the client end station determined to be compromised can be taken offline or repaired, and/or the client end station(s) responsible for transmitting the traffic having the reverse honey token can be sought, analyzed, and/or blocked from further network access and [0068] - RHT detection module may also optionally immediately generate an alert 140, which in some embodiments includes transmitting 230 a notification message to another enterprise user such as an administrator).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Shulman to the honeypot file/key material of Sharifi Mehr to include cryptographically securing the honeypot file to provide a tagged file; storing the tagged file on a data store in an enterprise network; and initiating a security action responsive to the retrieval.
One would have been motivated to combine the teachings of Shulman to Sharifi Mehr to do so as it provide users with a means for detection of comprised insiders (Shulman, [0002]).

Regarding Claim 3;
Sharifi Mehr and Shulman disclose the method to Claim 2.
Sharifi Mehr further discloses wherein the key material includes an asymmetric key pair (col. 6, lines 2-5 – asymmetric cryptographic keys and col. 6, lines 43-61).

Regarding Claim 4;
Sharifi Mehr and Shulman disclose the method to Claim 2.
Sharifi Mehr further discloses wherein the key material ... (col. 6, lines 2-5 – asymmetric cryptographic keys and col. 6, lines 43-61).
Shulman further teaches wherein the cryptographically securing the honey pot files includes using [ ] key material to encrypt the honeypot file (Shulman, [0063] – Using the ... encryption key, at block 212 the client end station 120A encrypts the IP address assigned to that client end station 120A (or some other value that distinguishes that client end station 120A from the others), and converts the resulting binary value to a Base64 representation. At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216);

Regarding Claim 5;
Sharifi Mehr and Shulman disclose the method to Claim 2.
Shulman further teaches wherein the cryptographically securing the honey pot files includes using [ ] key material to ... the honeypot file (Shulman, [0063] – Using the ... encryption key, at block 212 the client end station 120A encrypts the IP address assigned to that client end station 120A (or some other value that distinguishes that client end station 120A from the others), and converts the resulting binary value to a Base64 representation. At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216).
Sharifi Mehr and Shulman fail to explicitly disclose cryptographically securing... includes using the key material to digitally sign
However, in an alternative, Sharifi Mehr further teaches concepts of cryptographically securing... includes using the key material to digitally sign (Sharifi Mehr, col. 6, lines 43-61 – generate a digital signature).
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Sharifi Mehr to the method of Sharifi Mehr and Shulman to include concepts of cryptographically securing... includes using the key material to digitally sign. Further a person of ordinary skill in the art to use exemplary rationale to support a conclusion of obviousness, such rationale, i.e., combining prior art elements according to known methods to yield predictable results;  simple substitution of one known element for another to obtain predictable results; "obvious to try" – choosing from a finite number of identified, predictable solutions, with a reasonable expectation of success to predict a result in which the teachings of Sharifi Mehr’s digital signing can be predictably combined to the cryptographically securing of Sharifi Mehr and Shulman to thereby achieve a result/solution that would read on the claim limitation. One would have been motivated to combine the teachings of Shulman to Sharifi Mehr to provide users with a means for improved detection of system anomalies by identifying relationships (Sharifi Mehr, col. 1, lines 59-63).

Regarding Claim 6;
Sharifi Mehr and Shulman disclose the method to Claim 2.
Sharifi Mehr further discloses wherein the data store includes at least one of network storage for the enterprise network and a directory on an endpoint in the enterprise network (col. 3, lines 61-66 - In various examples, the virtual computing service 102 may be a computer system, virtual computer system, computer server, or server cluster allocated by the computing resource service provider to the customer and col. 4, lines 9-16 - The data storage service 104 provides a service that allows a customer to store data on a storage device managed by the computing resource service provider. The data storage service 104 may, in various examples, be a network accessible storage device, an online storage service, network attached storage device, or remotely accessible volume allocated to the customer by the computing resource service provider and col. 6, lines 43-61).
Regarding Claim 7;
Sharifi Mehr and Shulman disclose the method to Claim 2.
Sharifi Mehr further discloses wherein the central keystore includes at least one of a remote cloud resource for the enterprise network, and a third party trusted resource (col. 1, lines 65-col. 2, lines 8 - A computing resource service provider provides a threat analysis service that monitors the operation of a customer computing environment. The customer computing environment may include client computer systems, computer servers, data storage services, virtual computing services, authentication services, encryption services, network devices and appliances, virtual networking services, or other services operated by the customer. In some examples, the customer computing environment may include computing resources provided by the computing resource service provider such as data storage resources, processing resources, cryptography resources, and system management services). 

Regarding Claim 8;
Sharifi Mehr and Shulman disclose the method to Claim 2.
Sharifi Mehr further discloses wherein detecting the retrieval of the portion of the key material includes at least one of detecting an opening of the tagged file and detecting an authentication ... (col. 6, lines 43-61 - If an attacker uses the decoy cryptographic key 220 to generate a digital signature, encrypt data, or decrypt data, the threat analysis service detects the use of the decoy cryptographic key 220 by verifying the digital signature (i.e., as reasonably constructed authentication), decrypting the encrypted data, or detecting the successful decryption of data encrypted with the decoy cryptographic key 220 (i.e., as reasonably constructed authentication). In some implementations, the threat analysis service examines stored data accessible to the customer virtual network 202 and identifies digital signatures or encrypted data that use the decoy cryptographic key 220. If use of the decoy cryptographic key 220 is discovered, the threat analysis service records diagnostic information that is usable to detect the intrusion)
Shulman further teaches ...the tagged file (Shulman, [0063] - At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216);
Similar motivation as used for Claim 1 can be applied to Claim 8. 

Regarding Claim 9;
Sharifi Mehr and Shulman disclose the method to Claim 2.
Sharifi Mehr further discloses wherein the retrieval of the portion of the key material... (col. 6, lines 43-61 –  The decoy cryptographic key 220 is a cryptographic key that is accessible via the decoy virtual server 214. In some implementations, the decoy cryptographic key 220 is stored in memory on the decoy virtual server 214. In other implementations, the decoy cryptographic key 220 is stored on a cryptoprocessor used by the decoy virtual server 214. If an attacker uses the decoy cryptographic key 220 to generate a digital signature, encrypt data, or decrypt data, the threat analysis service detects the use of the decoy cryptographic key 220 by verifying the digital signature, decrypting the encrypted data, or detecting the successful decryption of data encrypted with the decoy cryptographic key 220. In some implementations, the threat analysis service examines stored data accessible to the customer virtual network 202 and identifies digital signatures or encrypted data that use the decoy cryptographic key 220. If use of the decoy cryptographic key 220 is discovered, the threat analysis service records diagnostic information that is usable to detect the intrusion);
Shulman further teaches retrieval ... is requested from a file system extension on an endpoint that controls access to encrypted content (Shulman, [0035] – file system access protocols and [0063]-[0065] - At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216. At circle `2` the intruder 124, via the client end station 125, connects to the client end station 120A and discovers, at circle `3`, the existence of the reverse honey token 130A within the configuration repository 128. At circle `4`, the intruder 124, again via the client end station 125, transmits a set of one or more packets 132 including a request designed to access enterprise data of one of the servers (112, 114, 116) of the server end stations 110. This request carried by the set of packets 132 includes the reverse honey token 130A).
Similar motivation as used for Claim 1 can be applied to Claim 9. 

Regarding Claim 11;
Sharifi Mehr and Shulman disclose the method to Claim 2.
Shulman further teaches wherein initiating the security action includes identifying a device associated with decrypting the tagged file as a malicious intruder (Shulman, [0028] - Upon this detection, network traffic from the client attempting to utilize the reverse honey token can be monitored, regulated, and/or blocked from reaching the targeted server, the client end station determined to be compromised can be taken offline or repaired, and/or the client end station(s) responsible for transmitting the traffic having the reverse honey token can be sought, analyzed, and/or blocked from further network access).

Regarding Claim 12;
Sharifi Mehr and Shulman disclose the method to Claim 11.
Shulman further teaches wherein the security action includes at least one of blacklisting the malicious intruder from the enterprise network, redirecting the malicious intruder to a honeypot, and monitoring activities of the malicious intruder (Shulman, [0028] - Upon this detection, network traffic from the client attempting to utilize the reverse honey token can be monitored, regulated, and/or blocked from reaching the targeted server, the client end station determined to be compromised can be taken offline or repaired, and/or the client end station(s) responsible for transmitting the traffic having the reverse honey token can be sought, analyzed, and/or blocked from further network access).

Regarding Claim 13;
Sharifi Mehr and Shulman disclose the method to Claim 2.
Shulman further teaches wherein the security action includes triggering an alert. (Shulman, [0028] and [0068] - RHT detection module may also optionally immediately generate an alert 140, which in some embodiments includes transmitting 230 a notification message to another enterprise user such as an administrator).



Regarding Claim 14;
Sharifi Mehr and Shulman disclose the method to Claim 2.
Shulman further teaches wherein the data store is on an endpoint of the enterprise network, and wherein the remedial action includes remediating the endpoint (Shulman, [0028] - Upon this detection, network traffic from the client attempting to utilize the reverse honey token can be monitored, regulated, and/or blocked from reaching the targeted server, the client end station determined to be compromised can be taken offline or repaired, and/or the client end station(s) responsible for transmitting the traffic having the reverse honey token can be sought, analyzed, and/or blocked from further network access and [0063]-[0065] - At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216. At circle `2` the intruder 124, via the client end station 125, connects to the client end station 120A and discovers, at circle `3`, the existence of the reverse honey token 130A within the configuration repository 128. At circle `4`, the intruder 124, again via the client end station 125, transmits a set of one or more packets 132 including a request designed to access enterprise data of one of the servers (112, 114, 116) of the server end stations 110. This request carried by the set of packets 132 includes the reverse honey token 130A and [0068] - RHT detection module may also optionally immediately generate an alert 140, which in some embodiments includes transmitting 230 a notification message to another enterprise user such as an administrator).



Regarding Claim 15;
Sharifi Mehr and Shulman disclose the method to Claim 14.
Shulman further teaches wherein remediating the endpoint includes at least one of quarantining the endpoint and pulling one or more keys for access to secure content on the endpoint from the endpoint (Shulman, [0028] - Upon this detection, network traffic from the client attempting to utilize the reverse honey token can be monitored, regulated, and/or blocked (i.e., as reasonably constructed quarantining) from reaching the targeted server, the client end station determined to be compromised can be taken offline or repaired, and/or the client end station(s) responsible for transmitting the traffic having the reverse honey token can be sought, analyzed, and/or blocked from further network access).

Regarding Claim 20;
Sharifi Mehr discloses a system comprising:
a central keystore for the enterprise network (col. 6, lines 43-61 –  The decoy cryptographic key 220 is a cryptographic key that is accessible via the decoy virtual server 214. In some implementations, the decoy cryptographic key 220 is stored in memory on the decoy virtual server 214. In other implementations, the decoy cryptographic key 220 is stored on a cryptoprocessor used by the decoy virtual server 214. If an attacker uses the decoy cryptographic key 220 to generate a digital signature, encrypt data, or decrypt data, the threat analysis service detects the use of the decoy cryptographic key 220 by verifying the digital signature, decrypting the encrypted data, or detecting the successful decryption of data encrypted with the decoy cryptographic key 220. In some implementations, the threat analysis service examines stored data accessible to the customer virtual network 202 and identifies digital signatures or encrypted data that use the decoy cryptographic key 220. If use of the decoy cryptographic key 220 is discovered, the threat analysis service records diagnostic information that is usable to detect the intrusion); and
a threat management facility (FIG. 3) configured to provide a honey pot file, ... to store the key material in the central key store, to detect use of the key material from the central keystore associated with a decryption of the honeypot file, and [intrusion detection] responsive to the decryption (FIG. 3 and col. 2, lines 65-col. 3, lines 3 - For example, the threat analysis service may deploy decoy files within a customer file system, decoy data within a customer database, decoy cookies with the customer browser or decoy cryptographic keys within a cryptographic key server used by the customer) and col. 6, lines 43-61 –  The decoy cryptographic key 220 is a cryptographic key that is accessible via the decoy virtual server 214. In some implementations, the decoy cryptographic key 220 is stored in memory on the decoy virtual server 214. In other implementations, the decoy cryptographic key 220 is stored on a cryptoprocessor used by the decoy virtual server 214. If an attacker uses the decoy cryptographic key 220 to generate a digital signature, encrypt data, or decrypt data, the threat analysis service detects the use of the decoy cryptographic key 220 by verifying the digital signature, decrypting the encrypted data, or detecting the successful decryption of data encrypted with the decoy cryptographic key 220. In some implementations, the threat analysis service examines stored data accessible to the customer virtual network 202 and identifies digital signatures or encrypted data that use the decoy cryptographic key 220. If use of the decoy cryptographic key 220 is discovered, the threat analysis service records diagnostic information that is usable to detect the intrusion).
Sharifi Mehr fails to explicitly disclose:
a data store in an enterprise network; 
...to cryptographically secure the honeypot file with the key material, to store the cryptographically secure honeypot file on the data store, ... and to initiate a remedial action responsive to....
However, in an analogous art, Shulman teaches a method comprising:
a data store in an enterprise network (Shulman, [0063]-[0064] - At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216. At circle `2` the intruder 124, via the client end station 125, connects to the client end station 120A and discovers, at circle `3`, the existence of the reverse honey token 130A within the configuration repository 128);
[provide a honey pot file] (Shulman, [0063] - At circle `1C`, after receipt of the RHT script 150A, the client end station 120A executes the RHT script 150A, which logically performs the following flow: first, at block 210, the client end station 120A generates an encryption key using the seed value 202 according to well-known encryption algorithms in common use... At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216), to cryptographically secure the honeypot file with the key material, to store the cryptographically secure honeypot file on the data store, ...and to initiate a remedial action responsive to....(Shulman, [0063]-[0064] - At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216. At circle `2` the intruder 124, via the client end station 125, connects to the client end station 120A and discovers, at circle `3`, the existence of the reverse honey token 130A within the configuration repository 128 and [0066]-[0068] - At circle `4`, the intruder 124, again via the client end station 125, transmits a set of one or more packets 132 including a request designed to access enterprise data of one of the servers (112, 114, 116) of the server end stations 110. This request carried by the set of packets 132 includes the reverse honey token 130A... If a candidate value does match the prefix value 204, the flow continues with block 224 and the RHT detection module may also optionally immediately generate an alert 140, which in some embodiments includes transmitting 230 a notification message to another enterprise user such as an administrator)
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Shulman to the honeypot file/key material of Sharifi Mehr to include a data store in an enterprise network;  ...to cryptographically secure the honeypot file with the key material, to store the cryptographically secure honeypot file on the data store, ... and to initiate a remedial action responsive to....
One would have been motivated to combine the teachings of Shulman to Sharifi Mehr to do so as it provide users with a means for detection of comprised insiders (Shulman, [0002]).





Claim 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharifi Mehr (US 10,521,184 A1) in view of Shulman (US 2016/0301712 A1) and further in view of Yates et al. (US 2009/0327723 A1).

Regarding Claim 10;
Sharifi Mehr and Shulman disclose the method to Claim 2.
Sharifi Mehr further discloses wherein the retrieval of the key material... (col. 6, lines 43-61 –  The decoy cryptographic key 220 is a cryptographic key that is accessible via the decoy virtual server 214. In some implementations, the decoy cryptographic key 220 is stored in memory on the decoy virtual server 214. In other implementations, the decoy cryptographic key 220 is stored on a cryptoprocessor used by the decoy virtual server 214. If an attacker uses the decoy cryptographic key 220 to generate a digital signature, encrypt data, or decrypt data, the threat analysis service detects the use of the decoy cryptographic key 220 by verifying the digital signature, decrypting the encrypted data, or detecting the successful decryption of data encrypted with the decoy cryptographic key 220. In some implementations, the threat analysis service examines stored data accessible to the customer virtual network 202 and identifies digital signatures or encrypted data that use the decoy cryptographic key 220. If use of the decoy cryptographic key 220 is discovered, the threat analysis service records diagnostic information that is usable to detect the intrusion);
Sharifi Mehr and Shulman fail to explicitly disclose wherein the retrieval of the key material is requested from a decryption tool on an endpoint.
However, in an analogous art, Yates teaches wherein the retrieval of the key material is requested from a decryption tool on an endpoint (Yates, FIG. 8 and [0077] - decryption tool retrieves the key).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Yates to the method of Sharifi Mehr and Shulman to include wherein the retrieval of the key material is requested from a decryption tool on an endpoint. 
One would have been motivated to combine the teachings of Yates to Sharifi Mehr and Shulman to do so as it provides users with a means for securely transferring objects between computing devices (Yates, [0001]).












Claim 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharifi Mehr (US 10,521,184 A1) in view of Shulman (US 2016/0301712 A1) and further in view of Bantz et al. (US 2006/0112418 A1)

Regarding Claim 16;
Sharifi Mehr and Shulman disclose the method to Claim 2.
Sharifi Mehr teaches wherein providing the honeypot file... ( col. 2, lines 65-col. 3, lines 3 - For example, the threat analysis service may deploy decoy files within a customer file system, decoy data within a customer database, decoy cookies with the customer browser or decoy cryptographic keys within a cryptographic key server used by the customer).
Shulman further teaches wherein providing the honeypot file includes selecting ... on the data store and storing the tagged file on the data store ... as... the honey pot file (Shulman, [0063]-[0064] - At circle `1C`, after receipt of the RHT script 150A, the client end station 120A executes the RHT script 150A, which logically performs the following flow: first, at block 210, the client end station 120A generates an encryption key using the seed value 202 according to well-known encryption algorithms in common use... At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216. At circle `2` the intruder 124, via the client end station 125, connects to the client end station 120A and discovers, at circle `3`, the existence of the reverse honey token 130A within the configuration repository 128);
Sharifi Mehr and Shulman wherein providing the ... file includes selecting a non-confidential file available on the data store and storing the tagged file on the data store as an older version of the ... file.
However, in an analogous art, Bantz teaches wherein providing the ... file includes selecting a non-confidential file available on the data store and storing the tagged file on the data store as an older version of the ... file ([0032] - The times associated with the decoy files and the original file may be modified to make it appear, for instance, that the original file is older than the decoy files).  The examiner further notes a person of ordinary skill in the art would realize the teachings of Bantz that times associated with decoy and original files may be modified, thus one alternative modification that would be an obvious variant to those of ordinary skill in the art by design choice, can be to make the decoy file older than the original file.  
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Bantz to the method of Sharifi Mehr and Shulman to include wherein the retrieval of the key material is requested from a decryption tool on an endpoint. 
One would have been motivated to combine the teachings of Yates to Sharifi Mehr and Shulman to do so as it provides users with a means for protection of information in computing devices (Bantz, [0001]). 




Claim 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharifi Mehr (US 10,521,184 A1) in view of Shulman (US 2016/0301712 A1) and further in view of Schlemmer et al. (US 2011/0246531 A1).

Regarding Claim 17;
Sharifi Mehr and Shulman disclose the method to Claim 2.
Sharifi Mehr teaches wherein providing the honeypot file... ( col. 2, lines 65-col. 3, lines 3 - For example, the threat analysis service may deploy decoy files within a customer file system, decoy data within a customer database, decoy cookies with the customer browser or decoy cryptographic keys within a cryptographic key server used by the customer)
	Shulman teaches wherein providing the honeypot file includes... one or more properties suitable for use as a honey pot file (Shulman, [0063]-[0064] - At circle `1C`, after receipt of the RHT script 150A, the client end station 120A executes the RHT script 150A, which logically performs the following flow: first, at block 210, the client end station 120A generates an encryption key using the seed value 202 according to well-known encryption algorithms in common use... At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216. At circle `2` the intruder 124, via the client end station 125, connects to the client end station 120A and discovers, at circle `3`, the existence of the reverse honey token 130A within the configuration repository 128).
Sharifi Mehr and Shulman fail to explicitly disclose ...providing a crawler that traverses the enterprise network to locate documents having one or more properties...
However, Schlemmer teaches ...providing a crawler that traverses the enterprise network to locate documents having one or more properties... (Schlemmer, [0045] - As shown, the agent pool 408A and 408B may include a first crawler agent 410A and 410B, a second crawler agent 412A and 412B, and a maintenance agent 414A and 414B. The first crawler agent 410A and 410B and/or second crawler agent 412A and 412B may each categorize data stored in trie files stored in the trie file queue 404A and 404B, download content (e.g. web pages, etc.) identified by the data stored in the trie files, analyze such content (e.g. for malware, etc.) and/or gather any other information associated with the data stored in the files).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Schlemmer to the honeypot file of Sharifi Mehr and Shulman to include ...providing a crawler that traverses the enterprise network to locate documents having one or more properties. 
One would have been motivated to combine the teachings of Schlemmer to Sharifi Mehr and Shulman to do so as it provides users with a means for gathering any other information associated with the data stored in the files (Schlemmer, [0045]).






Claim 18 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharifi Mehr (US 10,521,184 A1) in view of Shulman (US 2016/0301712 A1) and further in view of Nakamura et al. (US 2012/0030242 A1).

Regarding Claim 18;
Sharifi Mehr and Shulman disclose the method to Claim 2.
Sharifi Mehr and Shulman further disclose/teach the honey pot to attract unauthorized, malicious users of the enterprise network (Sharifi Mehr, col. 2, lines 65-col. 3, lines 3 - For example, the threat analysis service may deploy decoy files within a customer file system, decoy data within a customer database, decoy cookies with the customer browser or decoy cryptographic keys within a cryptographic key server used by the customer and Shulman, , [0063]-[0064] - At circle `1C`, after receipt of the RHT script 150A, the client end station 120A executes the RHT script 150A, which logically performs the following flow: first, at block 210, the client end station 120A generates an encryption key using the seed value 202 according to well-known encryption algorithms in common use... At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216. At circle `2` the intruder 124, via the client end station 125, connects to the client end station 120A and discovers, at circle `3`, the existence of the reverse honey token 130A within the configuration repository 128).
Sharifi Mehr and Shulman fail to explicitly disclose further comprising modifying an access control list for [a] file ...by limiting the access control list to a small number of users.  
	However, in an analogous art, Nakamura teaches further comprising modifying an access control list for [a] file ...by limiting the access control list to a small number of users  (Nakamura, FIG. 1 and FIG. 4 and FIG. 9 and FIG. 14 and [0074] and [0085] – specified user and/or specified group)
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Nakamura to the honeypot file of Sharifi Mehr and Shulman to include further comprising modifying an access control list for [a] file ...by limiting the access control list to a small number of users.
One would have been motivated to combine the teachings of Nakamura to Sharifi Mehr and Shulman to do so as it provides users with a means for performance of file access control processing (Nakamura, [0018]).

Regarding Claim 19;
Sharifi Mehr and Shulman disclose the method to Claim 2.
Sharifi Mehr and Shulman further disclose/teach the honey pot to attract unauthorized, malicious users of the enterprise network (Sharifi Mehr, col. 2, lines 65-col. 3, lines 3 - For example, the threat analysis service may deploy decoy files within a customer file system, decoy data within a customer database, decoy cookies with the customer browser or decoy cryptographic keys within a cryptographic key server used by the customer and Shulman, , [0063]-[0064] - At circle `1C`, after receipt of the RHT script 150A, the client end station 120A executes the RHT script 150A, which logically performs the following flow: first, at block 210, the client end station 120A generates an encryption key using the seed value 202 according to well-known encryption algorithms in common use... At block 214, the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 128 at block 216. At circle `2` the intruder 124, via the client end station 125, connects to the client end station 120A and discovers, at circle `3`, the existence of the reverse honey token 130A within the configuration repository 128).
Sharifi Mehr and Shulman fail to explicitly disclose further comprising modifying an access control list for the [a] file ... by including an open access user in the access control list.  
	However, in an analogous art, Nakamura teaches further comprising modifying an access control list for the [a] file ... by including an open access user in the access control list (Nakamura, FIG. 1 and FIG. 4 and FIG. 9 and FIG. 14 and [0074] and [0085] – specified user and/or specified group)
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Nakamura to the honeypot file of Sharifi Mehr and Shulman to include further comprising modifying an access control list for the [a] file ... by including an open access user in the access control list
One would have been motivated to combine the teachings of Nakamura to Sharifi Mehr and Shulman to do so as it provides users with a means for performance of file access control processing (Nakamura, [0018]).





Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385. The examiner can normally be reached Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KARI L SCHMIDT/Primary Examiner, Art Unit 2439