Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Priority
No claim for foreign priority has been made to date.
Information Disclosure Statement
The two information disclosure statements (IDSs) submitted on February 14, 2020, and the singular IDS submitted on March 28, 2022, comply with the provisions of 37 CFR 1.97, and are being considered by the examiner.
Specification
No concerns have been found with respect to the specification.
Drawings
No concerns have been found with respect to the drawings.
Claim Objections
Claims 7 and 13 are objected to because of the following informalities:  
Claim 7, line 3, change “stores” to “store” for improved English.
Claim 7, line 5, “an additional fictitious data entries” should be changed to “additional fictitious data entries“, for improved English.
Claim 13, line 2, “date entry” should be corrected to “data entry”.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1-9, 11, 14, 17, 20 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Israeli et al (US20180374071A1), hereinafter, “Israeli”, in view of Margalit et al. (US20180330122A1), hereinafter, “Margalit”, further in view of Catlett et al. (US8880435B1), hereinafter, “Catlett”, and even further in view of Healy et al. (US20170053115A1), hereinafter, “Healy”. 
Per claim(s) 1, Israeli discloses:
A tangible, non-transitory, machine-readable medium (Israeli “security manager computer 200’s memory…”) storing instructions that when executed by one or more processors effectuate operations (Israeli FIGS. 2-4) comprising:
obtaining, with one or more processors, a fictitious data entry (Israeli FIG. 2, operation 1010; “…Generate Decoy Credit Card Numbers…”) associated with a field present in a plurality of records associated with an online resource (Israeli FIG. 1’s “Database Table”, see “Decoy Credit Card Number” field), wherein:
the fictitious data entry is generated based on a criteria used to generate other non- fictious data entries associated with the field in at least some of the records (Israeli para. [0004], [0008] and [0030], actual credit card numbers and decoy credit card numbers are all generated in accordance with requirements of a Luhn algorithm),
the fictitious data entry is caused to be stored in at least some of the records in association with the field in a first set of one or more repositories to be monitored for breaches (Israeli para. [0024], “…As shown in FIG. 1, a database 250 stores, for each decoy credit card number, the identifier of a POS terminal in which the decoy credit card number was injected, and a date & time when the decoy credit card number was injected…”; while Israeli’s FIG. 1 illustrates databases 150, 250 and 350 (all storing common synchronized data) and the POS RAMs (each storing a unique fictitious (credit card number) data, and legitimate credit card numbers from POS purchases), then, for the purposes of mapping the present claim(s), FIG. 1’s left-most POS terminal ID=XXX’s RAM 120 is being interpreted as the claimed “first set of one or more repositories” to be monitored for breaches),

the fictitious data entry complies with a syntax of the non-fictious entries (Israeli para. [0004], [0008] and [0030], actual credit card numbers and decoy credit card numbers are all generated in accordance with requirements of a Luhn algorithm);
sending, with one or more processors, a query to a monitoring  [process], the query specifying the fictitious data entry and a request to determine whether a second repository of (Israeli’s monitoring “process” implicitly teaches a “monitoring application”;  more particularly, Israeli’s FIG. 2 flowchart (especially a right column thereof) and Israeli’s para. [0026] are being interpreted as disclosing an process of monitoring, i.e., Israeli’s para. [0026] states, “…When an attempt is made to use a decoy credit card number, an alert notification including the decoy credit card number is sent to security computer 200. When security computer 200 receives the alert notification, security computer 200 looks up the decoy credit card number in database 250 and extracts the POS identifier and the date & time associated with the decoy credit card number. Security manager computer 200 then identifies legitimate credit card numbers that were processed by the identified POS terminal during a time period including the identified date & time. Security manager 200 sends credit card company or retailer computer 300 a list identifying the identified legitimate credit card numbers as credit card numbers that may have been compromised…”; while Israeli’s FIG. 1 illustrates synchronized databases 150, 250 and 350 which could each be used to see whether the decoy credit card number (which was attempted to be used) is included therein, then, for mapping the present claim(s), database 250 is being interpreted as the claimed “second repository”; further, the claimed phrase “looks up” is being interpreted as the claimed “query”; NOTE: While Israeli implicitly teaches a “monitoring application” via its monitoring process, Margalit (cited ahead) also explicitly teaches a “monitoring application” in the form of a computer program);
in response to the query, receiving, with one or more processors, query results indicating that the second repository of (Israeli para. [0042], “…security manager computer 200 looks up the decoy credit card number sent by POS AAA in database 250, and identifies POS XXX as being the source of the decoy credit card numbers.…”; providing the identification of POS XXX is being interpreted as receiving query results (indicating inclusion) responsive to the query of looking up whether the second repository includes the fictitious data entry; the database 250 was interpreted above, as the “second repository”);
in response to the received indication that the second repository of (Israeli para. [0042], “…security manager computer 200 looks up the decoy credit card number sent my POS AAA in database 250, and identifies POS XXX as being the source of the decoy credit card numbers.”; for purposes of the mapping of the present claim(s), FIG. 1’s left-most POS terminal ID=XXX’s RAM 120 which was interpreted above to be part of the “first set of one or more repositories”, has been identified as storing the fictitious data entry);
designating, with one or more processors, other data entries within the at least some of the first set of one or more repositories as potentially having been breached (Israeli para. [0042], “…security manager computer 200 looks up the decoy credit card number sent my POS AAA in database 250, and identifies POS XXX as being the source of the decoy credit card numbers. …Security manager computer 200 then requests and receives logs of legitimate credit card numbers that were processed by POS XXX at around date D and time T. These legitimate credit card numbers are the ones that were potentially compromised during the breach of POS XXX by the attacker, since POS XXX stores credit card numbers in its RAM. The logs may be obtained from POS XXX, which maintains a log of transactions.”; for purposes of the mapping of the present claim(s), FIG. 1’s left-most POS terminal ID=XXX’s RAM 120 which was interpreted above to be part of the “first set of one or more repositories”, is found to provide the “other data entries.); and

Israeli does not disclose, but Margalit further explicitly teaches utilizing illicitly-available compromised data to more quickly detect breaches.  In contrast, Israeli’s “usage” detection arrangement may result in an indeterminably long period of time (e.g., months, years) between when a database is hacked and when a compromised (legitimate or fictitious) credential might actually be used publicly.  Thus, Israeli’s usage monitoring arrangement, in essence, remains ineffective until a credential actually gets used, which may allow a breach to go undetected and continue for a significant period of time.  Margalit (within the same art) teaches two differing ways of determining whether data has been compromised, i.e., Margalit para. [0030] teaches that “…The hacked database identification program may identify a database that has been compromised once the hacked data has been used or even before being used, for example, when intercepted upon publication on the dark web. …”    
In contrast to Israeli implicitly teaching a “monitoring application via a monitoring “process”, Margalit further teaches a “monitoring application” explicitly in the form of a computer program, i.e., Margalit teaches a “hacked database identification program” utilizing fictitious (Margalit para. [0027]) “…Marked data …[which] …may be …credit cards…”, to (para. [0026]) “…add marked data into a database …[and] …monitoring …for usage of the marked data may provide a source of the stolen data once the stolen data is used by the hacker …”, and (para. [0030]) “…may identify a database that has been compromised once the hacked data has been used…”, [as well as] (para. [0040]) “…establish a time frame the hacker may have compromised a certain database …”), etc.  
In view of Margalit’s teachings as discussed above, it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine Margalit’s “intercepted upon publication on the dark web” teachings into Israeli’s arrangement because doing so (Margalit para. [0030]) “…may identify a database that has been compromised …even before being used”.   Further, it would have been prima facie obvious to modify to a monitoring program as explicitly taught by Margalit, to result in a program-embodied “…monitoring application…”.  
Motivation to modify to an Israeli/Margalit combination including Margalit’s “intercepted upon publication on the dark web” teachings, would have been (Margalit para. [0030]) to detect compromised credit card numbers more quickly than simply remaining idle waiting for their usage.  Further, motivation for modifying the combination to include a program-embodied “…monitoring application…” per Maralit’s teachings, would have been to utilize a coded program to automatically perform monitoring for breaches.
The combination of Israeli/Margalit does not disclose, but Catlett (in the relevant Honeytoken art) teaches (Catlett column 6, lines 6-17) comparing generated (e.g., fictitious) data against actual data to avoid matching actual data to maintain the arrangement’s data integrity.  It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify to the Israeli/Margalit combination to include comparison against actual data, as taught by Catlett, to result in an arrangement where:
	the fictious data entry is different from the non-fictious data entries.  
Motivation for modifying to ensure different fictitious data entries per Catlett’s teachings would have been to avoid the customer's account or the banking system's data integrity being potentially compromised (Catlett column 6, lines 12-13).
The Israeli/Margalit/Catlett combination does not teach a specific procedure to explicitly obtain/use compromised publication data, but Healy (again in the same credit card security art) teaches (Healy para. [0121]-[0122]) that, “…[0121] The system administrator can identify credit card numbers listed on web pages known to sell, or distribute, compromised credit cards. For instance, web pages that sell compromised credit cards can list a portion of information identified on each credit card, such as the first several numbers (e.g., 4, 6) numbers of a credit card, the last several numbers (e.g., 2, 4), expiration date, and so on.  [0122] The system administrator can obtain the portions of credit card numbers, and compare the numbers to transaction data stored by the system (e.g., transaction data from particular locations of the business). Upon a threshold percentage match (e.g., 70%, 80%, 90%), the system administrator can determine that the credit cards were obtained by a malicious actor…”.  A system administrator (of a resultant Israeli/Margalit/Catlett/Healy combination) obtaining “the portions of credit card numbers” from the “web pages”, would logically store the portions of the credit card numbers within Israeli’s synchronized databases 150, 250, 350 (as opposed to storing within the limited-space POS RAMs).    
Healy further teaches that it was known to store the results of a process into memory, i.e., Healy para. [0124] teaches generally for all its disclosed processes that “…The results of the disclosed processes and process steps may be stored, persistently or otherwise, in any type of non-transitory computer storage such as, for example, volatile or non-volatile storage…”.   
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, for the Israeli/Margalit/Catlett combination to store designation results, as taught by Healy, to result in an arrangement of: storing, with one or more processors, the designation in memory.  Further, it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, that the databases 150, 250, 350 (and thus the “second repository” 250) would include the “compromised data”.  Also, per the teachings of Healy (Healy para. [0122]), it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, for the Israeli/Margalit/Catlett/Healy combination to “compare the numbers to transaction data stored by the system”.  
Motivation for modifying to the Israeli/Margalit/Catlett/Healy combination to obtain/use compromised data using the procedures of Healy would have been (Margalit para. [0030]) to detect compromised credit card numbers (legitimate and/or fictitious) “…even before being used, for example, when intercepted upon publication on the dark web…”.   Further, motivation for modifying to the Israeli/Margalit/Catlett/Healy combination storing the results in memory, would have been to have the results available for subsequent processes (e.g., for sending the designated compromised credit card numbers to credit card companies, etc.).
Per claim 23, such independent method claim has features/limitations corresponding to the features/limitations of independent medium/program claim 1, and is therefore rejected with the same rationale and motivation as independent medium/program claim 1 as set forth above.
Per claim(s) 2, the above rejection of parent claim 1 (from which this claim depends) is incorporated by reference.  Israeli further discloses: wherein generating the fictitious data entry includes storing, in memory, a value indicative of a date on which the data fictitious entry was stored in the first set of one or more repositories (Israeli para. [0011], “… for each decoy credit card number the database stores a POS terminal into which the decoy credit card number was injected, and the date & time of the injection…”; FIG. 1’s left-most POS terminal ID=XXX’s RAM 120 was interpreted above as the “first set of one or more repositories”).
Per claim(s) 3, the above rejection of parent claim 2 (from which this claim depends) is incorporated by reference.  Israeli further discloses:
wherein the operations comprise:
in response to the received indication that the second repository of compromised data includes the fictitious data entry, accessing, with one or more processors, the value indicative of the date on which the data fictitious entry was stored in the first set of one or more repositories (Israeli para. [0024], “…a database 250 stores, for each decoy credit card number, the identifier of a POS terminal in which the decoy credit card number was injected, and a date & time when the decoy credit card number was injected …”; Israeli para. [0026], “…When security computer 200 receives the alert notification, security computer 200 looks up the decoy credit card number in database 250 and extracts the POS identifier and the date & time associated with the decoy credit card number…”; the “date & Time” is being interpreted as the claimed “value” accessed; FIG. 1’s left-most POS terminal ID=XXX’s RAM 120 was interpreted previously as the claimed “first set of one or more repositories”; FIG. 1’s database 250 was interpreted previously as the claimed “second repository”; Israeli para. [0042] specifically teaches obtaining a date and time associated with POS terminal ID=XXX’s RAM 120.); and
inferring, with one or more processors, a date of a breach of the first set of one or more repositories based on the value (Israeli para. [0028], “…when attempted use of a decoy credit card number is detected, the date & time stored in database 250 may be used to infer the date & time of the breach of the POS terminal…”; Israeli para. [0026], “…When security computer 200 receives the alert notification, security computer 200 looks up the decoy credit card number in database 250 and extracts the POS identifier and the date & time associated with the decoy credit card number. Security manager computer 200 then identifies legitimate credit card numbers that were processed by the identified POS terminal during a time period including the identified date & time.…”; the “date & Time” is being interpreted as the claimed “value”; FIG. 1’s left-most POS terminal ID=XXX’s RAM 120 was, and remains, interpreted as the claimed “first set of one or more repositories”; FIG. 1’s database 250 was, and remains, interpreted as the claimed “second repository”).
Per claim(s) 4, the above rejection of parent claim 3 (from which this claim depends) is incorporated by reference.  Israeli further discloses:
wherein within the at least some of the first set of one or more repositories as potentially having been breached comprises selecting a subset of records in the first set of one or more repositories and designating the subset of records as potentially having been breached based on the subset of records predating the inferred date (Israeli para. [0026], “…When security computer 200 receives the alert notification, security computer 200 looks up the decoy credit card number in database 250 and extracts the POS identifier and the date & time associated with the decoy credit card number. Security manager computer 200 then identifies legitimate credit card numbers that were processed by the identified POS terminal during a time period including the identified date & time.…”; the “date & Time” is being interpreted as the claimed “value”; Israeli FIG. 4 and para. [0046], provide an example in which a credit card “CC1” predating a “…time of breach, T’…“, is then determined as possibly having been breached; FIG. 1’s left-most POS terminal ID=XXX’s RAM 120 was, and remains, interpreted as the claimed “first set of one or more repositories”; FIG. 1’s database 250 was, and remains, interpreted as the claimed “second repository”).
Per claim(s) 5, the above rejection of parent claim 2 (from which this claim depends) is incorporated by reference.  Israeli further discloses, but as a preface to more detailed discussions, attention is first directed to Israeli’s FIG. 4 and para. [0046] which disclose an on-going serial time-line example in which a “range of time” of a breach is indicated as ∆T’.  For purposes of the present examination, in the claim 5 discussions to follow, Israeli’s FIG. 4 DCC0 (not shown, but would have been inferred by one of ordinary skill in the art (at the time of Applicant’s invention) based on an understanding of Israeli’s FIG. 4 serial time-line) is being taken as the claimed “previous fictitious data entry”, DCC1 (explicitly illustrated and discussed) is being taken as the claimed “fictitious data entry”, and DCC2 (explicitly illustrated and discussed) is being taken as the claimed “next fictitious data entry”.  Accordingly, with such preface having been noted, Israeli further discloses:
wherein the operations comprise:
identifying, with one or more processors, a previous fictitious data entry (“DCC0”) and a next fictitious data entry (“DCC2”), the previous fictitious data entry (“DCC0”) being stored therein (at time “T0”; not shown, but would have been inferred by one of ordinary skill in the art (at the time of Applicant’s invention) from the FIG. 4 serial time-line) before the fictitious data entry (“DCC1”; stored at time “T”), the next fictitious data entry (“DCC2”) being stored therein (stored at time “T2”) after the fictitious data entry (“DCC1”; stored at time “T”), the previous fictitious data entry (“DCC0”) being deleted from the first set of one or more repositories in response to the storing of the data fictitious entry, and the data entry being deleted from the one or more databases in response to the storing of the next data entry (Israeli para. [0045], “…at time T+ΔT a new decoy credit card number, denoted DCC2, is injected into POS RAM and the previous decoy credit card number, DCC1, is deleted from POS RAM…”; FIG. 1’s left-most POS terminal ID=XXX’s RAM 120 was interpreted previously as the claimed “first set of one or more repositories”; FIG. 1’s database 250 was interpreted previously as the claimed “second repository”);
in response to identifying the previous fictitious data entry (“DCC0”) and the next fictitious data entry (“DCC2”), identifying, with one or more processors, a date and time on which the previous fictitious data entry (“DCC0”) was generated and a date and time on which the next fictitious data entry (“DCC2”) was generated (Israeli para [0046], “…decoy credit card numbers are changed each time interval ΔT…”; Israeli para. [0045], “…At time T a decoy credit card number, denoted DCC1, is injected into POS RAM…”; given that Israeli discloses knowledge of DCC1 injection time T and of the periodicity of changing the decoy credit card numbers, Israeli’s disclosure knows the dates/times of the previous and next fictitious data entries;
in response to a received indication that the repository of compromised data does not include the previous fictitious data entry (“DCC0”) and the next fictitious data entry (“DCC2”) at a time and date after the generation (T+ ΔT) of the next fictitious data entry (“DCC2”) and in response to the received indication that the repository of compromised data includes the data fictitious entry (Per the Israeli disclosure (especially FIG. 4’s serial time-line and para. [0045]-[0046]), if a breach occurred immediately before (for example) Israeli FIG. 4’s “T+∆T” DCC2 injection time, it would have been logical (i.e., obvious) to the one of ordinary skill in the art that notification of the breach likely would have been received after the Israeli FIG. 4’s “T+∆T” DCC2 injection time (e.g., owing to non-instantaneous, communication delays); Further, it would have been logical (i.e., obvious) to the one of ordinary skill in the art that only the DCC1 decoy (and not the DCC0 and DCC2 decoys) would have been stored and compromised from breached memory (POS RAM) immediately before the Israeli FIG. 4’s “T+∆T” DCC2 injection time (i.e., DCC0 would have been erased previously, and DCC2 would not have been added yet), determining a range of time during which the first set of one or more repositories has been breached, the range of time being between the time and date the fictitious data entry (“DCC1”) was stored in the first set of one or more repositories and the time and date the next fictitious data entry (“DCC2”) was stored in the first set of one or more repositories (Per Israeli disclosure (especially FIG. 4’s serial time-line and para. [0045]-[0046]), if a received breach notification only included the DCC1 decoy (and not the DCC0 and DCC2 decoys), then the “range of time” during which the breach occurred would have necessarily been within Israeli FIG. 4’s time period from “T” (DCC1 injection time) to “T+∆T” (DCC2 injection time (and corresponding DCC1 deletion time)), as this is the only FIG. 4 time period in which the DCC1 decoy (and not the DCC0 and DCC2 decoys) was stored in the breached memory and available to be compromised); FIG. 1’s left-most POS terminal ID=XXX’s RAM 120 was interpreted previously as the claimed “first set of one or more repositories”; FIG. 1’s database 250 was interpreted previously as the claimed “second repository”).
Per claim(s) 6, the above rejection of parent claim 5 (from which this claim depends) is incorporated by reference.  Israeli further discloses:
wherein a subset of the other data entries within the first set of one or more repositories is identified based on the determined range of time (Per the Israeli disclosure (especially FIG. 4’s serial time-line and para. [0045]-[0046]), only those data entries which existed within a breached repository during the possible “breach” time range from “T” (DCC1 injection time) to “T+∆T” (DCC2 injection time (and corresponding DCC1 deletion time)) were accessible within the breached repository, and thus, those data entries would be logically identified based on the determined range of time; FIG. 1’s left-most POS terminal ID=XXX’s RAM 120 was, and remains, interpreted as the claimed “first set of one or more repositories”; FIG. 1’s database 250 was, and remains, interpreted as the claimed “second repository”).
Per claim(s) 7,  the above rejection of parent claim 1 (from which this claim depends) is incorporated by reference.  Israeli further discloses:
	The medium of claim 1, wherein the operations comprise:
identifying, with one or more processors, the first set of one or more repositories that stores the fictitious data entry (Israeli para. [0011], “…detection of attempted use, anywhere in the world, of a decoy credit card number that was injected into a POS terminal may be used to infer the identity of the POS terminal that was breached by a RAM scraper, and the time of the breach. In turn, the identity of the POS terminal that was breached and of the time of the breach may be used to infer the legitimate credit card numbers that were available to the RAM scraper…”; FIG. 1’s left-most POS terminal ID=XXX’s RAM 120 was, and remains, interpreted above as the “first set of one or more repositories”, and such repository would have stored the fictitious data entry);
•••
sending, with one or more processors, another query to the monitoring application, the other query including the additional fictitious data entries and a request to determine whether a repository of compromised data includes the additional fictitious data entries (Israeli para. [0033]-[0035], “…notification of attempted use of a decoy credit card number …may be sent to security manager computer 200 from a POS terminal 100. Specifically, when POS terminal 100 authorizes a credit card, it checks database 150 to see if the credit card number is a decoy credit card number. If so, …when POS terminal 100 transmits a data batch to credit card company or retailer computer 300, credit card company or retailer computer 300 checks database 350 to see if one of the credit card numbers in the data batch is a decoy credit card number. If so, a notification is transmitted to security manager computer 200.  [0034] At operation 1050, security manager computer 200 consults database 250 and extracts the POS terminal ID and the date & time from database 250.  [0035] At operation 1060, security manager computer 200 identifies legitimate credit card numbers processed by POS terminal in a time interval including the extracted data & time…; in this scenario, if a second data entry within the data batch was also found to be a decoy credit card number, it would also be sent to the security manager computer 200 which would consult the database 250 (including for-sale “compromised data” from illicit web sites per the Margalit/Healy teachings described above with respect to claim 1);
in response to the other query, receiving, with one or more processors, other query results indicating whether the repository of compromised data includes one or more of the additional data entries (Israeli’s database 250 (including for-sale “compromised data” from illicit web sites) would provide an indication of whether the second decoy credit card information was compromised via being offered for sale on the illicit web sites, while the Israeli FIG. 1 “database table” of database 250 would indicate the POS Terminal that was breached and a date and time that the second decoy credit card had been posted within the database (Israeli para. [0034], “…[0034] At operation 1050, security manager computer 200 consults database 250 and extracts the POS terminal ID and the date & time from database 250…” ); and
identifying, with one or more processors, a subset of the first set of one or more repositories based on the other query results (Israeli para. [0035], “…At operation 1060, security manager computer 200 identifies legitimate credit card numbers processed by POS terminal in a time interval including the extracted data & time.  …).
Israeli does not disclose, but Margalit further explicitly teaches in response to the identification of the first set of one or more repositories, identifying, with one or more processors, an additional fictitious data entries generated and stored in each of the first set of one or more repositories (Margalit para. [0031], “…periodically adding marked data into a database (i.e., periodic merchant orders) to narrow down a time frame in which the database has been hacked. …”; it would have been logical (i.e., obvious) in response to one fictitious entry having been used (thus indicating a breach), to check whether any other fictitious entry within that database has also been used so as to “narrow down a time frame in which the database has been hacked”; for example, if fictitious data entry (e.g., decoy credit card number A) posted to the database at 9:00 am had been used (e.g., actually used or offered for sale on an illicit site) while another fictitious data entry (e.g., decoy credit card number B) had not been used, such information can be used to infer that the database breach occurred within the time range of 9:00 am to 11:59 am; accordingly, given that FIG. 1’s left-most POS terminal ID=XXX’s RAM 120 was, and remains, interpreted above as the “first set of one or more repositories”, any second fictitious data entry within POS terminal ID=XXX’s RAM 120 would have been identified as also possibly having been breached) if a second fictitious data entry had been stored .) Israeli para. [0046], “…If an attempt is made to use DCC1, anywhere in the world, then it can be inferred that POS terminal 100 was breached, and the time of breach, T′, and the credit card numbers compromised during the breach may be inferred…”), the respective additional fictitious data entries in each of first set of one or more repositories being distinct from each other (Maraglit further teaches (Margalit para. [0040]) that “…Different fictitious marked accounts may be used for different merchants and different databases to identify a particular database with a particular fictitious marked account…”; different fictitious marked accounts would also be used to identify a particular posting time with a particular fictitious marked account).
In view of Margalit’s teachings as discussed above, it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine Margalit’s “periodically adding marked data” and “distinct additional fictitious data entry” teachings into Israeli’s arrangement because doing so would help estimate “when” a breach occurred, and “which” repository was breached.  Motivation to modify to an Israeli/Margalit/Catlett/Healy combination would have been (Margalit para. [0031]) to provide an arrangement to “narrow down a time frame in which the database has been hacked”, and (Margalit para. [0022], “…provide a method to identify which database has been breached by a hacker…”.
Per claim(s) 8, the above rejection of parent claim 7 (from which this claim depends) is incorporated by reference.  Israeli further discloses: wherein identifying the other fictitious data entries within the first set of one or more repositories includes identifying a subset of the other data entries within the subset of the first set of one or more repositories (Israeli FIG. 1 “database table” of database 250 would indicate the POS Terminal that was breached and a date and time that the second decoy credit card had been posted within the database (Israeli para. [0034], “…[0034] At operation 1050, security manager computer 200 consults database 250 and extracts the POS terminal ID and the date & time from database 250…”; Israeli para. [0035], “…At operation 1060, security manager computer 200 identifies legitimate credit card numbers processed by POS terminal in a time interval including the extracted data & time…).
Per claim(s) 9, the above rejection of parent claim 1 (from which this claim depends) is incorporated by reference.  Catlett further teaches: wherein the fictitious data entry includes a set of user- authentication credentials comprising a first username and a first fictitious password and wherein…  (Catlett column 4, lines 62-66, “…The honeytoken data in this example may include …network login credentials (e.g., usernames and passwords)…”).  It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine Catlett’s “credentials” teachings into Israeli/Margalit/Catlett/Healy combination because doing so (Catlett col. 6, lines 6-8) would insure “…that false honeytoken data not collide, or match, with any actual customer data stored in the database 121…”.  Motivation to modify to an Israeli/Margalit/Catlett/Healy combination would have been (Catlett col. 6, lines 12-13) would avoid “…the customer's account and the banking system's data integrity …[to] potentially be compromised…”.
In addition, Margalit further teaches wherein the first username and the first fictitious password are generated based on the criteria used to generate other usernames and passwords (Margalit para [0028], “…Entering the marked data into an online account that saves the data to a database may mimic the regular way an online profile is entered into the database (i.e., the regular way a real customer may enter data to create an online profile) to reduce the chance of automatic detection since even the owner of the database may not know about the fictitiousness of the data…”).  It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine Margalit’s mimicked “username and password” teachings into Israeli/Margalit/Catlett/Healy combination (Margalit para. [0028]) “…for the purpose of being a decoy…” which is believable to a hacker.  Motivation to modify to an Israeli/Margalit/Catlett/Healy combination would have been (Margalit para. [0028]) “…to reduce the chance of automatic detection…” by a hacker, of the fictitious data.
Per claim(s) 11, the above rejection of parent claim 1 (from which this claim depends) is incorporated by reference.  Israeli further teaches wherein: the data entry includes at least one of a credit card number (Israeli FIG. 2, operation 1010; “…Generate Decoy Credit Card Numbers…”), gift card number, or voucher code and wherein the credit card number, gift card number, or voucher code is generated based on the criteria used to generate other credit card numbers (Israeli para. [0004], [0008] and [0030], actual credit card numbers and decoy credit card numbers are all generated in accordance with requirements of a Luhn algorithm), gift card numbers, or voucher codes for accessing the online resource; and
the operations comprise, in response to the indication that at least one of the credit card number, gift card number, or voucher code has been breached, causing, with one or more processors, the one or more users associated with the other credit card numbers, gift card numbers, or voucher codes to be notified of the breach (Israeli para. [0026], “…Security manager 200 sends credit card company or retailer computer 300 a list identifying the identified legitimate credit card numbers as credit card numbers that may have been compromised…).
Per claim(s) 14, the above rejection of parent claim 1 (from which this claim depends) is incorporated by reference.  Israeli further teaches wherein the operations comprise:
periodically generating, with one or more processors, a new fictitious data entry (Israeli para [0046], “…decoy credit card numbers are changed each time interval ΔT…”; and 
storing the new fictitious data entry in the first set of one or more repositories (Israeli claim 3, “…security manager generates new decoy credit card numbers at regular intervals of time, …and wherein said one or more processors delete the previous decoy credit card numbers from the POS memories and inject the new decoy credit card numbers into the POS memories …; FIG. 1’s left-most POS terminal ID=XXX’s RAM 120 was interpreted above as the “first set of one or more repositories”).
Per claim(s) 17, the above rejection of parent claim 1 (from which this claim depends) is incorporated by reference.  Catlett further teaches wherein the operations comprise:
prior to storing the generated data entry within the one or more databases, determining, with one or more processors, that the generated data entry is distinct from the other data entries stored within the one or more databases (Catlett column 6, lines 6-17, “…it may be desired that false honeytoken data not collide, or match, with any actual customer data stored in the database 121. For example, if a randomly generated honeytoken of network credentials (e.g., a username and password) for an electronic banking system accidentally matched the username and password of an existing customer account, then both the customer's account and the banking system's data integrity may potentially be compromised. Accordingly, false honeytoken data created in step 201 may be cross-referenced against existing customer data to ensure uniqueness before the honeytoken data is stored in the customer database 121. …”); and
in response to the determination that the generated data entry is not distinct from the other data entries stored within the one or more databases, generating, with one or more processors, another data entry based on the criteria used to generate the other similar data entries (Catlett column 6, lines 6-8, “…it may be desired that false honeytoken data not collide, or match, with any actual customer data stored in the database 121…”; it is implied within Catlett, that Catlett thus teaches discarding any generated data entry which collides or matches with an actual data entry, in favor of generating another data entry).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine Catlett’s “distinct” credential teachings into Israeli/Margalit/Catlett/Healy combination because doing so (Catlett col. 6, lines 6-8) would insure “…that false honeytoken data not collide, or match, with any actual customer data stored in the database 121…”.  Motivation to modify to an Israeli/Margalit/Catlett/Healy combination would have been (Catlett col. 6, lines 12-13) would avoid “…the customer's account and the banking system's data integrity …[to] potentially be compromised…”.
Per claim(s) 20, the above rejection of parent claim 1 (from which this claim depends) is incorporated by reference.  Catlett further teaches wherein the operations comprise: steps for generating a fictitious data entry (Israeli para. [0027], “…decoy credit card number generator 130 generates the decoy credit card numbers, then the generated decoy credit card numbers are transmitted to database 250 for storage, together with the POS identifier and the date & time of the generation…”). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine Catlett’s “fictitious data entry generating” teachings into Israeli/Margalit/Catlett/Healy combination because doing so (Catlett col. 6, lines 6-8) would provide “…false honeytoken data…”.  Motivation to modify to an Israeli/Margalit/Catlett/Healy combination would have been (Catlett col. 6, lines 12-13) would be to utilize false honeytoken data to avoid “…the customer's account and the banking system's data integrity …[to] potentially be compromised…”.

Claim(s) 10: stands rejected under 35 U.S.C. 103 as being unpatentable over Israeli et al (US20180374071A1), hereinafter, “Israeli”, in view of Margalit et al. (US20180330122A1), hereinafter, “Margalit”, further in view of Catlett et al. (US8880435B1), hereinafter, “Catlett”, and even further in view of Healy et al. (US20170053115A1), hereinafter, “Healy”, and even further in view of Brandwine et al. (US10445514B1), hereinafter, “Brandwine”. 
Per claim(s) 10, the above rejection of parent claim 9 (from which this claim depends) is incorporated by reference.  Margalit further teaches wherein: designating comprises determining the first username and first password has been breached (Margalit para. [0028], “…The marked data may also be associated with fictitious non-valid data linked to detect usage when a hacker may attempt to use the fictitious data, such as a fake social security number, a fake account number or a fake username and fake password.”); and
In addition, Brandwine (also concerning account breaches) teaches:
the operations comprise:
causing, with one or more processors, the one or more users associated with the other usernames and passwords to be notified (Brandwine column 10, lines 22-24], “…Upon detecting 502 that the customer account has been compromised, the process 500 may include notifying 504 the customer that the account has been compromised.  …”) to change the other passwords (Brandwine column 10, lines 22-24], “…a remedial action that may need to be taken by a customer is one that would require a change to the customer's credentials…” and “…the computing resource service provider may require that only the customer be permitted to change a delegate user's credentials…”; Brandwine column 2, lines 16-17 considers a user’s credentials as including “account passwords”); and
blocking, with one or more processors, access to one or more user accounts associated with the other usernames and passwords that have been breached (Brandwine column 2, lines 22-24], “…, the computer resource service provider may restrict access to certain aspects of a customer account if the account is compromised…”).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the combination of Israeli/Margalit/Catlett/Healy to include user notifications and account blocking as taught by Brandwine.  Motivation for modifying would have been to inform users when accounts have been compromised, and to prevent unauthorized third parties from accessing the compromised account until remedial precautions have been taken (Brandwine column 10, lines 22-24 and 30-32). 

Claim(s) 12: stands rejected under 35 U.S.C. 103 as being unpatentable over Israeli et al (US20180374071A1), hereinafter, “Israeli”, in view of Margalit et al. (US20180330122A1), hereinafter, “Margalit”, further in view of Catlett et al. (US8880435B1), hereinafter, “Catlett”, and even further in view of Healy et al. (US20170053115A1), hereinafter, “Healy”, and finally in view of Chambers et al. (US20120324555A1), hereinafter, “Chambers”.
Per claim(s) 12, the above rejection of parent claim 1 (from which this claim depends) is incorporated by reference.  The Israeli/Margalit/Catlett/Healy combination does not disclose, but Chambers teaches wherein: obtaining the fictitious data entry comprises:
generating a first part of the fictitious data entry (Chambers FIG. 5, “a first part” includes a combination of Head 202f (i.e., “3752”) and Tail 206f (i.e., “3125”));
computing a second part of the fictitious data entry (Chambers FIG. 5, “a second part” includes Body 204f (i.e., “8903374X”, where (Chambers para. [0069]) the second last digit 210f (i.e., “4”) is a “domain designator” and the last digit 500 (i.e., “X”) is a Luhn “check digit”; (Chambers para. [0069]), “…The Luhn validation routine may be used to calculate a check digit X such that the entire token passes Luhn; NOTE: passing the Luhn algorithm is important in that the resultant fictitious data entry formulated will appear to be a valid account number to a hacker) based on the first part (Chambers para. [0069], “…The presence of preserved leading and trailing characters in a tokenized data string will, of course, affect the generation of the token as well as the calculation of the Luhn check digit. …”), the second part containing redundant information relative to the first part (Chambers para. [0070]-[0071], “…[0070] …The Luhn validation routine solves for X using one of the solution methods for the Luhn algorithm.  [0071] For example, for the numbers shown in FIG. 5, …The token generation algorithm, in this example, would replace the check digit X with 8, and return the token "3752 89033748 3125"…”; the “second part” including “89033748” contains the digits “3” and “7” as “redundant information relative to the first part” of “3752” and “3125”); and
conjoining the first part and the second part in the fictitious data (Chambers para. [0071], “…for the numbers shown in FIG. 5, …The token generation algorithm, in this example, would replace the check digit X with 8, and return the token "3752 89033748 3125"…”; such is being interpreted as a “conjoining” of the first part and the second part).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the Israeli/Margalit/Catlett/Healy combination to include the multi-part fictitious data entry formulation taught by Chambers.  Motivation for modifying would have been to adopt a token generation algorithm which formulates fictitious data entries which satisfy the Luhn algorithm, so that the resultant fictitious data entry formulated will appear to be a valid account number to a hacker (Chambers para. [0006], “…The Luhn algorithm, also known as the modulus 10 algorithm, is a checksum formula that is frequently used to validate a variety of numbers, including credit card numbers…”).

Claim(s) 13: stand rejected under 35 U.S.C. 103 as being unpatentable over Israeli et al (US20180374071A1), hereinafter, “Israeli”, in view of Margalit et al. (US20180330122A1), hereinafter, “Margalit”, further in view of Catlett et al. (US8880435B1), hereinafter, “Catlett”, and even further in view of Healy et al. (US20170053115A1), hereinafter, “Healy”, even further in view of Anson (AU2013100873A4), hereinafter, “Anson”.
Per claim(s) 13, the above rejection of parent claim 1 (from which this claim depends) is incorporated by reference.  The Israeli/Margalit/Catlett/Healy combination does not disclose, but Anson teaches: 
a set of rules specify whether a date entry in the field is valid; and 
obtaining the fictitious data entry comprises:
determining more than a threshold number of characters for the fictitious data entry, the threshold being specified by one of the rules;
determining a non-alphanumeric character for the fictitious data entry to comply with one of the rules;
determining a numeric character for the fictitious data entry to comply with one of the rules; and
determining a case of a character for the fictitious data entry to comply with one of the rules.
Anson teaches (page 10, lines 8-12) “…As a general principle, passwords generated by the web site software should preferably be at least eight characters in length and should have two lowercase characters, two uppercase, two numbers and two control characters (non-alphanumeric characters).”  Anson also teaches (page 9, lines 10-19) “…When the password entered by a user is received by the web site, additional software functioning within the site can take the password submitted in the form of an electronic signal by the user and begin to transform the password after the signal has been parsed. The web site 15 software will produce a strong password from the phrase "rob the builder" while at the same time keeping the phrase recognizable and memorable, as for example when the phrase "rob the builder" might be transformed into "roB th3*bui!)e4". …”.  Anson is being interpreted as teaching a set of rules for software generated passwords.  A “fictitious password” is being interpreted as an example of the claimed “data entry”, and the “fictitious password” is being interpreted as “valid” if it complies with the set of rules set forth by Anson (e.g., threshold number of characters; non-alphanumeric character; numeric character; case of character).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the Israeli/Margalit/Catlett/Healy combination to implement the software generated password rules of Anson.  Motivation to modify the Israeli/Margalit/Catlett/Healy combination to implement the software generated password rules of Anson, would have been to enhance security and avoid hacker detection by requiring that passwords (actual or fake) comply with a set of minimum rules.

Claim(s) 15: stand rejected under 35 U.S.C. 103 as being unpatentable over Israeli et al (US20180374071A1), hereinafter, “Israeli”, in view of Margalit et al. (US20180330122A1), hereinafter, “Margalit”, further in view of Catlett et al. (US8880435B1), hereinafter, “Catlett”, and even further in view of Healy et al. (US20170053115A1), hereinafter, “Healy”, and finally in view of Bennison (US20140281578A1), hereinafter, “Bennison”.
Per claim(s) 15, the above rejection of parent claim 1 (from which this claim depends) is incorporated by reference.  The Israeli/Margalit/Catlett/Healy combination does not disclose, but Bennison teaches wherein:
before sending the query, respective hash values are computed based on entries in the repository of  (While Margalit teaches utilizing compromised data as previously mentioned, Bennison further teaches (para. [0026]) “…clear text data elements may be stored in a database 103 of clear text values, block 120. Processor 101 retrieves the clear text data elements from the database, block 130, and cryptographically hashes the clear text data, block 140. Processor 101 stores the cryptographically hashed values generated from cryptographically hashing the clear text data in a database 104 of cryptographically hashed values, block 150. … The hashed values stored … are now provisioned and ready for use in a method for secure database queries.”); and
the fictitious data entry is determined to be included in the repository of compromised data with operations including:
computing a hash value based on the  (While Israeli teaches fictitious data (e.g., “…Decoy Credit Card Numbers…”) as previously mentioned, Bennison para. [0028], “…receives a query, block 210 and generates hashes, block 220 from the query data it wishes to verify against the protected database …”);
determining that the hash value based on the (While Israeli teaches fictitious data (e.g., “…Decoy Credit Card Numbers…”) and Margalit teaches utilizing compromised data, as previously mentioned, Bennison para. [0029], “…secure processor 102 searches through the hashes stored in a database 106 on the secure processor 102, block 240, and returns `true` …or returns `false` to the non-secure network connected processor if no version …is found in the database…”); and
in response to the match, determining the  (While Israeli teaches fictitious data (e.g., “…Decoy Credit Card Numbers…”) and Margalit teaches utilizing compromised data, as previously mentioned, Bennison para. [0030], “…secure processor returns a 1 indicating a match…”; that is, if Bennison finds a match which is indicative of the fictitious data entry being included in the repository, Bennison’s arrangement will output a “1” showing a positive result from the determination.
Bennison arrangements utilize “hashing” of database entries and a query, to allow one (Bennison para. [0006] “…to perform searches and queries against a database containing sensitive information while maintaining the confidentiality or secrecy of the information contained within the database.”  Bennison teaches (Bennison para. [0028]) “credit card numbers” and “bank accounts” as “sensitive information”.  Israeli’s FIG. 1’s “Database Table” is being interpreted as a “database containing sensitive information”.  
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the Israeli/Margalit/Catlett/Healy database and query arrangement to afford “hashing” protection to the fictitious “Decoy Credit Card Numbers”, bank accounts, etc., as taught by Bennison.  Motivation for modifying would have been to improve security of the database (and contents) by storing and utilizing hashed values instead of actual values (McClintock column 4, lines 66-67).

Claim(s) 16: stand rejected under 35 U.S.C. 103 as being unpatentable over Israeli et al (US20180374071A1), hereinafter, “Israeli”, in view of Margalit et al. (US20180330122A1), hereinafter, “Margalit”, further in view of Catlett et al. (US8880435B1), hereinafter, “Catlett”, and even further in view of Healy et al. (US20170053115A1), hereinafter, “Healy”, and even further in view of Stickle (US10873601B1), hereinafter, “Stickle”.
Per claim(s) 16, the above rejection of parent claim 1 (from which this claim depends) is incorporated by reference.  The Israeli/Margalit/Catlett/Healy combination does not disclose, but Stickle (in the same field of endeavor) teaches wherein:
the fictitious data entry is generated using a generative machine learning model trained on a training set including non-fictitious data entries to distinguish fictitious from non-fictitious data entries (Stickle column 10, lines 50-54, “…FIG. 1 also illustrates that the decoy workflow engine 132 may include a targeting component 138. The targeting component 138 is configured to “get ahead” of the attacker 114 by building out decoy data and decoy resources that are tailored to what the attacker 114 is targeting. …”; Stickle column 11, lines 11-21, “…The determination of the type of data and the type of resources to “build out” in the targeted set 204 of decoy data 226 and decoy resources 228 may be based on historical data (e.g., past API calls 202, past sequences (e.g., signal patterns) of API calls 202, etc.) that are usable (e.g., using analytics built around known sequences/patterns of API calls) to make predictions as to future API calls 202 that the attacker 114 is likely to make. In some embodiments, machine learning models may be used for such prediction capabilities of the targeting component 138…”).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify Israeli/Margalit/Catlett/Healy combination to incorporate machine learning as taught by Stickle.  Motivation for modifying would have been (Stickle column 10, lines 52-54) to “get ahead” of the attacker 114 by building out decoy data and decoy resources that are tailored to what the attacker 114 is targeting.

Claim(s) 18: stand rejected under 35 U.S.C. 103 as being unpatentable over Israeli et al (US20180374071A1), hereinafter, “Israeli”, in view of Margalit et al. (US20180330122A1), hereinafter, “Margalit”, further in view of Catlett et al. (US8880435B1), hereinafter, “Catlett”, and even further in view of Healy et al. (US20170053115A1), hereinafter, “Healy”, and even further in view of Waugh (US11138246B1), hereinafter “Waugh”.
Per claim(s) 18, the above rejection of parent claim 1 (from which this claim depends) is incorporated by reference.  The Israeli/Margalit/Catlett/Healy combination does not disclose, but Waugh (in the relevant textual searching/comparison art) teaches wherein:
the fictious data entry is determined to be different from the non-fictious data entries based on a probabilistic data structure storing the non-fictitious entries (Waugh column 17, lines 27-30, “…The results of this search 1312 indicate that the sought data 1308 is not in the data indexed by the trie 1310 as indicated by the low probability (e.g., 16.67%) that the sought data 1308 is in the trie 1310. …”); or
that the second repository of compromised data is determined to include the fictitious data entry based on a probabilistic data structure storing the compromised data (Waugh column 2, lines 16-19, “…using a probabilistic data structure such as, for example, a tiling trie, to index textual data such as log data and to provide an existence check for entries within that textual data…”; Waugh column 17, lines 46-50, “…The results of this search 1324 indicate a high probability (e.g., 100%) that the sought data 1320 is in the trie 1322, which in turn indicates a high likelihood that the sought data 1320 is in the data indexed by the trie 1322..”).
.  It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the combination of Israeli/Margalit/Healy/Catlett’s database searching/comparison arrangement to include/utilize a probabilistic data structure as taught by Waugh.  Motivation for modifying would have been to considerably reduce search time (Waugh column 2, lines 19-23, “…If the probabilistic data structure indicates that there is a high probability that an entry is located within a portion of the data, then the search space for the “brute force” search can be considerably reduced…”).

Claim(s) 19: stand rejected under 35 U.S.C. 103 as being unpatentable over Israeli et al (US20180374071A1), hereinafter, “Israeli”, in view of Margalit et al. (US20180330122A1), hereinafter, “Margalit”, further in view of Catlett et al. (US8880435B1), hereinafter, “Catlett”, and even further in view of Healy et al. (US20170053115A1), hereinafter, “Healy”, and even further in view of Dulce et al. (US20160381023A1), hereinafter, “Dulce”.
Per claim(s) 19, the above rejection of parent claim 1 (from which this claim depends) is incorporated by reference.  The Israeli/Margalit/Catlett/Healy combination does not disclose, but Dulce (in the same field of endeavor) teaches wherein the operations comprise:
generating the fictitious data entry by violating one or more rules that determine a valid entry in the field (Dulce para. [0102], “…a token of type “password” may have an additional set of rules requiring that, in addition to meeting the set of characteristics for the type, that a word from an English dictionary or a list of common proper nouns must be included in the generated token…”).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the combination of Israeli/Margalit/Catlett/Healy’s password arrangement to include purposefully invalid passwords as taught by Dulce.  Motivation for modifying would have been to include a fictitious password which tends to be “believable” to an attacker (Dulce para. [0102]), and to make the fictitious password more easily guessable by an attacker so that they more likely attempt usage of the password (where usage would then serve as signal of a breach to a system monitoring for usage of the fictitious password.

Claim(s) 21: stand rejected under 35 U.S.C. 103 as being unpatentable over Israeli et al (US20180374071A1), hereinafter, “Israeli”, in view of Margalit et al. (US20180330122A1), hereinafter, “Margalit”, further in view of Catlett et al. (US8880435B1), hereinafter, “Catlett”, and even further in view of Healy et al. (US20170053115A1), hereinafter, “Healy”, and even further in view of Heinla et al. (US20050108247A1), hereinafter, “Heinla”.
Per claim(s) 21, the above rejection of parent claim 1 (from which this claim depends) is incorporated by reference.  The Israeli/Margalit/Catlett/Healy combination does not disclose, but Heinla (in the relevant database construction and searching art) teaches wherein:
the second repository has more than 10-billion entries (Heinla para. [0127], “The system 10 is of benefit in that data record searching time therein is not influenced by the number of slots 80 included or nodes 30, 40 in the system 10. Thus, searching the system 10 implemented as a 100 million-node database is substantially as fast as searching the system 10 implemented with 1000 participating nodes.”); and
the query response is provided within less than 500 milliseconds of sending the query and indicates whether the fictitious data entry matches any of the I 0-billion entries (Heinla para. [0009], “…the database is arranged to deliver search responses to the on-line users in less than one second, for example 0.5 seconds.”).
 It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the combination of Israeli/Margalit/Catlett/Healy’s storage arrangement to Heinla’s 0.5 second searchable database arrangement.  Motivation for modifying would have been to implement a searchable database arrangement which was both fast and scalable.

Claim(s) 22: stand rejected under 35 U.S.C. 103 as being unpatentable over Israeli et al (US20180374071A1), hereinafter, “Israeli”, in view of Margalit et al. (US20180330122A1), hereinafter, “Margalit”, further in view of Catlett et al. (US8880435B1), hereinafter, “Catlett”, and even further in view of Healy et al. (US20170053115A1), hereinafter, “Healy”, and even further in view of Sharifi (US10521584B1), hereinafter, “Sharifi”.
Per claim(s) 22, the above rejection of parent claim 1 (from which this claim depends) is incorporated by reference.  The Israeli/Margalit/Catlett/Healy combination does not disclose, but Sharifi (in the relevant computer threat analysis field of endeavor) teaches: 
steps for determining an identity score for an entity associated with the first repository (Sharifi column 16, lines 55-64, “…the threat analysis service adds the scores associated with the alert records to create a combined alert score. If the combined alert scores greater than a threshold value set by a customer administrator, the threat analysis service examines the scores of the trigger records and identifies a particular trigger record having the highest score. If the highest score is greater than a threshold value set by the customer administrator, the graph is determined to indicate that a compromise of the customer environment caused significant harm…”).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the combination of Israeli/Margalit/Catlett/Healy’s arrangement to further include a threat analysis service as taught by Sharifi.  Motivation for modifying would have been to present compromise anomalies in a more understandable and manageable way (Sharifi column 17, lines 36-40).

Conclusion
The prior art made of record and listed on the attached Form PTO-892 not relied upon is considered pertinent to applicant's disclosure.  For example, some Form PTO-892-listed references include:
Kimhi et al. (US20180373868A1) teaches a deceptive decoy element may include an identifier by which the computing device is able to determine (or receive an indication of) whether, for example, an employee or an external attacker has opened the deceptive decoy element. The indication of unauthorized access may include, for example, the identity of the entity, the path made until opening the deceptive decoy element.
Margalit et al. (US20180330121A1) teaches generating a marked account using a plurality of data, initiating a first transaction using the generated marked account, and determining that a second transaction has occurred using the generated marked account to signal a breach. 
Boss et al. (US9462013B1) teaches interweaving a honeypot system with the production system, leaving the production system intact when a breach is detected, and routing the detected attacker to the honeypot system based on a detected point of entry of the attacker into the production system.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Paul J Skwierawski whose telephone number is (571)272-2642. The examiner can normally be reached 7:30am-4:00pm weekdays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisory primary examiner (SPE) Yin-Chen Shaw can be reached on (571)272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional 
questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Paul Skwierawski/
Patent Examiner, Art Unit 2498


/Jeremy S Duffield/Primary Examiner, Art Unit 2498