DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 01 July 2026 has been entered.
Response to Amendment
Applicant’s amendment filed 01 July 2026 amends claims 1, 9, and 15. Applicant’s amendment has been fully considered and entered.
Response to Arguments
Applicant argues on page 11 of the response, “…claim 1 is amended hereby to…distinguish actions that are not authorized to be performed by the network-connected storage device of claim 1 from passive monitoring of a lure query or a lure response…there is clear support in the specification of the present application, at least at the paragraphs mentioned above, for the requesting device not being authorized to ‘read, copy, or download information from the network connected storage device’ even through the requesting device may passively receive a lure query or a lure response.” This argument is not persuasive because as stated in the Final rejection mailed 01 April 2026 (“Final”), Applicant’s specification ([0043]) discloses that the lure query message 197 and the lure response message 198, accessed by the unauthorized device, includes information that is not the lure identifier. Paragraphs [0045]-[0049] describes a request 199 from the unauthorized device that includes the information from 197 or 198. Specifically, paragraph [0049] specifies that the request 199 “is directed to the lure identifier or interesting lure information that may have been part of the lure query or response message…” Therefore, it is clear from the cited paragraphs that the claimed ‘requesting device’ reads information from the network-connected storage device that is not the lure identifier. The 112(a) rejection of claim 1 is overcome because the amended language specifies that the requesting device is not authorized to connect to…the network-connected storage device. Claims 9 and 15 do not require this limitation since the “connect to” language is written in the alternative.
Examiner Notes
All claims were reviewed for compliance with 35 USC §101 (as set forth in MPEP 2106) and it was determined that the claims are statutory.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 9-13, 15-17, 19-23 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventors, at the time the application was filed, had possession of the claimed invention.
Claim 9 requires a network-connected storage device to transmit lure identifiers and monitoring of incoming requests directed to a lure identifier from requesting devices that are not authorized to read information from the network-connected storage device such that the requesting devices that are not authorized to read information from the network-connected storage device do not read information from the network-connected storage device, that is not the lure identifier. However, the specification specifies that the requesting devices that are not authorized to read information from the network-connected storage device, do in fact read information from the network-connected storage device that is not the lure identifier. Specifically, paragraph [0043] of Applicant’s specification discloses that the lure query message 197 and the lure response message 198, accessed by the unauthorized device, includes information that is not the lure identifier. Paragraphs [0045]-[0049] describes a request 199 from the unauthorized device that includes the information from 197 or 198. Specifically, paragraph [0049] specifies that the request 199 “is directed to the lure identifier or interesting lure information that may have been part of the lure query or response messages…” Therefore, it is clear from the cited paragraphs that the claimed “requesting device” reads information from the network-connected storage device that is not the lure identifier.
Claim 15 requires a network-connected storage device to transmit lure identifiers and monitoring of incoming requests directed to a lure identifier from requesting devices that are not authorized to read information from the network-connected storage device such that the requesting devices that are not authorized to read information from the network-connected storage device does not read information from the network-connected storage device, that is not the lure identifier. However, the specification and the claim specify that the requesting devices that are not authorized to read information from the network-connected storage device, do in fact read information from the network-connected storage device that is not the lure identifier. Specifically, paragraph [0043] of Applicant’s specification discloses that the lure query message 197 and the lure response message 198, accessed by the unauthorized device, includes information that is not the lure identifier. Paragraphs [0045]-[0049] describes a request 199 from the unauthorized device that includes the information from 197 or 198. Specifically, paragraph [0049] specifies that the request 199 “is directed to the lure identifier or interesting lure information that may have been part of the lure query or response messages…” Therefore, it is clear from the cited paragraphs that the claimed “requesting device” reads information from the network-connected storage device that is not the lure identifier.
Claims 10-13, 16, 17, 19-23 are rejected based upon their dependence on claims 9, and 15 respectively.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-6, 8-13, 15-17, 19-23 are rejected under 35 U.S.C. 103 as being unpatentable over Stolfo, U.S. Publication No. 2010/0077483, in view of Chao, U.S. Patent No. 9,912,695.
Referring to claim 1, Stolfo discloses a deception system 114 that includes a processor, memory, and communications interface ([0063]: deception system 114 reads on the claimed network-connected storage device), which meets the limitation of a network-connected storage device of a system comprising at least one processor and network-connected storage. Decoy traffic information includes decoy requests and decoy responses (Figure 5) such that the decoy requests can be decoy logins using decoy usernames/passwords (Figure 5 & [0046] & [0100]: decoy username from decoy login information reads on the claimed lure identifier) and that the decoy traffic information can be generated, by the deception system, as honeyflows and transmitted, by the deception system, to decoy information broadcasters ([0123]), which meets the limitation of transmitting, by a network-connected storage device of a system comprising at least one processor and network-connected storage, a lure query comprising at least one lure identifier, wherein the at least one lure identifier appears to be useable to attempt to connect to, and to read, copy, or download the first information from the network-connected storage. The decoy traffic information includes decoy requests and decoy responses (Figure 5) and that the decoy traffic information can be generated, by the deception system, as honeyflows and transmitted, by the deception system, to decoy information broadcasters ([0123]), which meets the limitation of transmitting, by the network-connected storage device, a lure response, stored at the network connected storage, that appears to be responsive to the lure query according to the at least one lure identifier, wherein the lure response comprises lure information associated with the at least one lure identifier, wherein the lure information is indicative of first information, wherein the at least one lure identifier is indicated by at least one of the lure query or the lure response, and wherein the first information does not exist. Examiner notes that what the lure information “indicates” does not receive patentable weight since such indications do not define structure, nor to such indications define functional steps that are performed (See MPEP 2111.04-2111.05). Deception system identifies the use of the decoy usernames in order to identify attackers ([0100] & [0178]-[0179]: Applicant’s specification discloses [0047] that the request is determined to have originated from a source that is not authorized to access the storage device based on request including fake information. Request received that includes decoy usernames would be considered a request including fake information, and would therefore, meet the limitation based on Applicant’s specification.), which meets the limitation of monitoring, by the network-connected storage device, for at least one incoming request message directed to the lure identifier from a requesting device that is not authorized to connect to and to read, copy, or download, information from the network-connected storage device. The identified use of the decoy login information can include monitoring for copy command operations for documents ([0185] & [0115]: document is a copy of an actual document, therefore, request user is requesting access to the actual document but receiving a decoy document and not the actual document), which meets the limitation of wherein the at least one incoming request message comprises at least one copy manipulation command to copy the first information, and wherein, responsive to the at least one incoming request message, the requesting device does not copy the first information, that is not the at least one lure identifier, from the network-connected storage device to result in copy non-access, wherein the copy non-access comprises not copying the first information, that is not the at least one lure identifier, from the network-connected storage. Deception system identifies the use of the decoy usernames in order to identify attackers ([0100] & [0178]-[0179]), which meets the limitation of and wherein the at least one incoming request message is determined by the network-connected storage device to have originated from the requesting device that is not authorized to connect to, or to read, copy, or download, the first information from the network-connected storage device based on the at least one incoming request message being directed to the at least one lure identifier and based on the at least one incoming request message comprising the at least one read, copy, or download manipulation command corresponding to the first information, determining, by the network-connected storage device, that one of the at least one incoming request message is directed to the at least one lure identifier to result in a determined incoming request message. If the deception system identifies the user of decoy usernames, the deception system transmits a notification ([0102] & [0149] & [0179]: notification reads on the claimed remediation action), which meets the limitation of based on the determined incoming request message being determined to be directed to the at least one lure identifier and based on the at least one incoming request message comprising the at least one read, copy, or download manipulation command corresponding to the first information, performing, by the network-connected storage device, an attack remediation action with respect to determined incoming request message.
Stolfo does not explicitly disclose that the decoy usernames can be decoy email addresses. Stolfo does suggest that the decoy information can include decoy email addresses ([0141] & [0187]), which meets the limitation of wherein the at least one [lure identifier] comprises at least one address that appears to be associated with the network-connected storage. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the decoy usernames to have been generated using decoy email addresses because Stolfo discloses that decoy email addresses represent one of a finite number of possible forms of decoy information that could have been utilized by one of ordinary skill in the art with a reasonable expectation of success ([0141] & [0187]).
Stolfo does not disclose that access to the decoy information is blocked. Chao discloses the granting of access to synthetic information in a honeypot while also denying access to synthetic information in the honeypot (Col. 15, lines 20-57), which meets the limitation of wherein the attack remediation action comprises blocking of granting of access by the requesting device to the network connected storage. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the deception system of Stolfo to provide the ability to block access to decoy information in order to give the unauthorized user the illusion of access failure that would occur in a real computing environment as suggested by Chao (Col. 12, lines 1-8).
Referring to claim 2, Stolfo discloses wherein the lure response comprises a server message block CONNECT command (Figure 5 reveals the lure responses are associated with POP communication protocol that allows email client to connect and retrieve/transfer messages server).
Referring to claim 3, Stolfo discloses wherein the lure information is generated based on at least one category of interest (paragraph 81 reveals the decoy information is based at least in part on actual information, wherein paragraph [0116] reveals decoy traffic information can be based on different categories such as decoy account user names, decoy account passwords, decoy MAC addresses, decoy IP addresses, and decoy protocol command. Paragraph [0083] reveals the decoy information is assigned to one or more of the categories of interest. Categories on interest can include, for example, financial, medical record, shopping list, credit card, budget, personal, bank statement, vacation note, or any other suitable category).
Referring to claim 4, Stolfo discloses wherein the at least one category of interest comprises at least one: a first category relating to a non-publicly known technology, a second category relating to a first location of a meeting, a third category relating to planning of an event, a fourth category relating to finance, a fifth category relating to a status of an individual, a sixth category relating to a second location of the individual, a seventh category relating to a personal record of the individual, an eighth category relating to a third location of an item, a ninth category relating to a fourth location associated with a shipment of the item, a tenth category relating to shipping information associated with shipping the shipment, an eleventh category relating to health care, or a twelfth category relating to a military application (paragraph [0083] reveals the decoy information is assigned to one or more of the categories of interest. Categories on interest can include, for example, financial, medical record, shopping list, credit card, budget, personal, bank statement, vacation note, or any other suitable category).
Referring to claim 5, Stolfo discloses that the deception system generates the decoy usernames ([0116] & [0123]), which meets the limitation of generating, by the network-connected storage device, the at least one lure identifier.
Referring to claim 6, Stolfo does not explicitly disclose that the decoy usernames can be information in a path format. Stolfo does suggest that the decoy information can include decoy IP addresses ([0116]: network IP addresses can be considered to be a path format), which meets the limitation of wherein the at least one [lure identifier] comprises information in a path format. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the decoy usernames to have been generated using decoy IP addresses because Stolfo discloses that decoy IP addresses represent one of a finite number of possible forms of decoy information that could have been utilized by one of ordinary skill in the art with a reasonable expectation of success ([0116]).
Referring to claim 8, Stolfo discloses that the decoy traffic information includes decoy requests and decoy responses (Figure 5) such that the decoy requests can be decoy logins using decoy usernames/passwords (Figure 5 & [0046] & [0100]: decoy passwords read on the claimed second information), which meets the limitation of wherein the lure query messages comprises second information associated with at least one lure identifier that is different than the first information.
Referring to claim 9, Stolfo discloses a deception system 114 that includes a processor, memory, and communications interface ([0063]), which meets the limitation of a network-connected storage device comprising at least one processor. Decoy traffic information includes decoy requests and decoy responses (Figure 5) such that the decoy requests can be decoy logins using decoy usernames/passwords (Figure 5 & [0046] & [0100]: decoy username from decoy login information reads on the claimed lure identifier) and that the decoy traffic information can be generated, by the deception system, as honeyflows and transmitted, by the deception system, to decoy information broadcasters ([0123]), which meets the limitation of transmit a lure query message to network equipment that is part of a network, wherein the at least one lure identifier corresponds to [an address associated with the network-connected storage and] appears to be associated with the network-connected storage. The decoy traffic information includes decoy requests and decoy responses (Figure 5) and that the decoy traffic information can be generated, by the deception system, as honeyflows and transmitted, by the deception system, to decoy information broadcasters ([0123]), which meets the limitation of transmit, as retrieved from the network-connected storage device connected to the network equipment, a lure response message that appears to be responsive to the lure query according to at least one lure identifier and that is indicative of lure information that appears to be associated with first information, wherein the at least one lure query message or the lure response message indicates the lure identifier, wherein the lure identifier appears to be associated with the network-connected storage device, and wherein the first information does not exist at the network-connected storage device. Examiner notes that what the lure information “indicates” does not receive patentable weight since such indications do not define structure, nor to such indications define functional steps that are performed (See MPEP 2111.04-2111.05). Deception system identifies the use of the decoy usernames in order to identify attackers ([0100] & [0178]-[0179]: Applicant’s specification discloses [0047] that the request is determined to have originated from a source that is not authorized to access the storage device based on request including fake information. Request received that includes decoy usernames would be considered a request including fake information, and would therefore, meet the limitation based on Applicant’s specification.), which meets the limitation of monitor at least one incoming request message directed to the at least one lure identifier by a requesting device that is not authorized to connect to, or to read, copy, or download information from the network-connected storage device and that does not connect to, and does not read, copy, or download, information, other than the at least one lure identifier, from the network-connected storage device to result in read, copy, or download non-access, determine that one of the at least one incoming request message was directed to the at least one lure identifier, resulting in a determined incoming request message, wherein the at least one incoming request message is determined by the network-connected storage device to have originated from the requesting device based on the at least one incoming request message being directed by the requesting device to the at least one lure identifier and based on the at least one incoming request message comprising the at least one read, copy, or download manipulation command corresponding to the first information. The identified use of the decoy login information can include monitoring for copy command operations for documents ([0185] & [0115]: document is a copy of an actual document, therefore, request user is requesting access to the actual document but receiving a decoy document and not the actual document), which meets the limitation of wherein the at least one incoming request message comprises at least one read, copy, or download file manipulation command directed to the first information, and wherein the read, copy, or download non-access of the information comprises at least one of: not reading, not copying, or not downloading the first information from the network-connected storage. If the deception system identifies the user of decoy usernames, the deception system transmits a notification ([0102] & [0149] & [0179]: notification reads on the claimed remediation action), which meets the limitation of based on the determined incoming request message being determined to be directed to the at least one lure identifier by the requesting device and based on the at least one incoming request message comprising the at least one read, copy, or download manipulation command corresponding to the first information, initiate, performance of an attack remediation action.
Stolfo does not explicitly disclose that the decoy usernames can be decoy email addresses. Stolfo does suggest that the decoy information can include decoy email addresses ([0141] & [0187]), which meets the limitation of wherein the at least one [lure identifier] corresponds to an address associated with the network-connected storage device. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the decoy usernames to have been generated using decoy email addresses because Stolfo discloses that decoy email addresses represent one of a finite number of possible forms of decoy information that could have been utilized by one of ordinary skill in the art with a reasonable expectation of success ([0141] & [0187]).
Stolfo does not disclose that access to the decoy information is blocked. Chao discloses the granting of access to synthetic information in a honeypot while also denying access to synthetic information in the honeypot (Col. 15, lines 20-57), which meets the limitation of wherein the attack remediation action comprises blocking of granting of access by the requesting device to the network connected storage. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the deception system of Stolfo to provide the ability to block access to decoy information in order to give the unauthorized user the illusion of access failure that would occur in a real computing environment as suggested by Chao (Col. 12, lines 1-8).
Referring to claim 10, Stolfo discloses wherein the lure response comprises a server message block CONNECT command (Figure 5 reveals the lure responses are associated with POP communication protocol that allows email client to connect and retrieve/transfer messages server).
Referring to claim 11, Stolfo discloses wherein the lure information is generated based on at least one of a group of categories of interest, the group of categories comprising at least one: a first category relating to secret technology, a second category relating to a first location of a meeting, a third category relating to planning of an event, a fourth category relating to finance, a fifth category relating to a status of an individual, a sixth category relating to a second location of the individual, a seventh category relating to a personal record of the individual, an eighth category relating to a third location of an item, a ninth category relating to a fourth location associated with a shipment of the item, a tenth category relating to shipping information associated with shipping the shipment, an eleventh category relating to health care, or a twelfth category relating to a military application (paragraph [0083] reveals the decoy information is assigned to one or more of the categories of interest. Categories on interest can include, for example, financial, medical record, shopping list, credit card, budget, personal, bank statement, vacation note, or any other suitable category).
Referring to claim 12, Stolfo does not explicitly disclose that the decoy usernames can be decoy email addresses. Stolfo does suggest that the decoy information can include decoy email addresses ([0141] & [0187]), which meets the limitation of wherein the at least one [lure identifier] comprises second information in an address format. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the decoy usernames to have been generated using decoy email addresses because Stolfo discloses that decoy email addresses represent one of a finite number of possible forms of decoy information that could have been utilized by one of ordinary skill in the art with a reasonable expectation of success ([0141] & [0187]).
Referring to claim 13, Stolfo discloses that the system generates the decoy usernames ([0116]), which meets the limitation of wherein the processor is further configured to generate the lure identifier.
Referring to claim 15, Stolfo discloses a deception system 114 that includes a processor, memory, and communications interface ([0063]). Decoy traffic information includes decoy requests and decoy responses (Figure 5) such that the decoy requests can be decoy logins using decoy usernames/passwords (Figure 5 & [0046] & [0100]: decoy username from decoy login information reads on the claimed lure identifier) and that the decoy traffic information can be generated, by the deception system, as honeyflows and transmitted, by the deception system, to decoy information broadcasters ([0123]), which meets the limitation of transmitting, by the network-connected storage device to at least one computing device of a network a lure query message, wherein the at least one lure identifier corresponds to [an address associated with the network-connected storage] and that is indicative of lure information that appears to be associated with first information stored by the network-connected storage. The decoy traffic information includes decoy requests and decoy responses (Figure 5) and that the decoy traffic information can be generated, by the deception system, as honeyflows and transmitted, by the deception system, to decoy information broadcasters ([0123]), which meets the limitation of transmit, by the network-connected storage device to the at least one computing device of the network, a lure response message that appears to be directed to a lure identifier and that is indicative of lure information that appears to be associated with first information stored by the network-connected storage device, wherein the at least one lure query message or the lure response message is indicative of the lure identifier, wherein the first information does not exist at the network-connected storage device, and wherein the lure identifier is determinable to be associated with the network-connected storage device. Examiner notes that what the lure information “indicates” does not receive patentable weight since such indications do not define structure, nor to such indications define functional steps that are performed (See MPEP 2111.04-2111.05). Deception system identifies the use of the decoy usernames in order to identify attackers ([0100] & [0178]-[0179]: Applicant’s specification discloses [0047] that the request is determined to have originated from a source that is not authorized to access the storage device based on request including fake information. Request received that includes decoy usernames would be considered a request including fake information, and would therefore, meet the limitation based on Applicant’s specification.), which meets the limitation of monitoring, by the network-connected storage device, at least one incoming request message from a requesting device that is not authorized to connect to, or to read, copy, or download information from the network-connected storage device and that does not connect to, and does not read, copy, or download, information, other than the at least one lure identifier, from the network-connected storage device to result in read, copy, or download non-access, determining, by the network-connected storage device, that at one of the at least one incoming request message was directed to the at least one lure identifier by the requesting device, resulting in at least one determined incoming request message, wherein the at least one incoming request message is determined by the network-connected storage device to have originated from the requesting device based on the at least one incoming request message being directed by the requesting device to the at least one lure identifier and based on the at least one incoming request message comprising the at least one read, copy, or download manipulation command corresponding to the first information. The identified use of the decoy login information can include monitoring for copy command operations for documents ([0185] & [0115]: document is a copy of an actual document, therefore, request user is requesting access to the actual document but receiving a decoy document and not the actual document), which meets the limitation of wherein the at least one incoming request message comprises at least one read, copy, or download file manipulation command directed to the first information, and wherein the read, copy, or download non-access of the information comprises at least one of: not reading, not copying, or not downloading the first information from the network-connected storage. If the deception system identifies the user of decoy usernames, the deception system transmits a notification ([0102] & [0149] & [0179]: notification reads on the claimed remediation action), which meets the limitation of based on the at least one determined incoming request message being determined to be directed to the at least one lure identifier by the requesting device and based on the at least one incoming request message comprising the at least one read, copy, or download manipulation command corresponding to the first information, enabling, by the network-connected storage device, performance of an attack remediation action.
Stolfo does not explicitly disclose that the decoy usernames can be decoy email addresses. Stolfo does suggest that the decoy information can include decoy email addresses ([0141] & [0187]), which meets the limitation of wherein the at least one [lure identifier] corresponds to an address associated with the network-connected storage device. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the decoy usernames to have been generated using decoy email addresses because Stolfo discloses that decoy email addresses represent one of a finite number of possible forms of decoy information that could have been utilized by one of ordinary skill in the art with a reasonable expectation of success ([0141] & [0187]).
Stolfo does not disclose that access to the decoy information is blocked. Chao discloses the granting of access to synthetic information in a honeypot while also denying access to synthetic information in the honeypot (Col. 15, lines 20-57), which meets the limitation of wherein the attack remediation action comprises blocking of granting of access by the requesting device to the network connected storage. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the deception system of Stolfo to provide the ability to block access to decoy information in order to give the unauthorized user the illusion of access failure that would occur in a real computing environment as suggested by Chao (Col. 12, lines 1-8).
Referring to claim 16, Stolfo discloses that the system generates the decoy usernames ([0116]), which meets the limitation of wherein the operations further comprise generating, at the network-connected storage, the lure identifier.
Referring to claim 17, Stolfo does not explicitly disclose that the decoy usernames can be information in a path format. Stolfo does suggest that the decoy information can include decoy IP addresses ([0116]: network IP addresses can be considered to be a path format), which meets the limitation of wherein the [lure identifier] comprises second information in a path format. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the decoy usernames to have been generated using decoy IP addresses because Stolfo discloses that decoy IP addresses represent one of a finite number of possible forms of decoy information that could have been utilized by one of ordinary skill in the art with a reasonable expectation of success ([0116]).
Referring to claim 19, Stolfo discloses that the decoy traffic information includes decoy requests and decoy responses (Figure 5) such that the decoy requests can be decoy logins using decoy usernames/passwords (Figure 5 & [0046] & [0100]: decoy passwords read on the claimed second information), which meets the limitation of wherein the lure query messages comprises second information that is associated with the lure information and that is different than the first information.
Referring to claim 20, Stolfo discloses wherein the lure query message comprises at least one file name associated with the lure information (paragraph 46 disclose decoy information include bogus login (see Figure 5 request) and password for google mail. Paragraph [0051] also reveal the decoy information can be a login request (e.g., an email login, a system login, a network login, a website username). Webpage is a file. See also paragraph [0071] which also recite if a decoy document contains a decoy account credential for a particular identity, the inside attacker can verify that the particular identity is real or not by querying an external system, such as a website (e.g., www.whitepages.com, www.google.com, etc.) ).
Referring to claims 21, 22, Stolfo discloses that the deception system generates the decoy traffic information ([0048]-[0049] & [0123]) and the decoy traffic information includes decoy requests and decoy responses (Figure 5), which meets the limitation of generating, by the network-connected storage device, the lure query message, generating, by the network-connected storage device, the lure response message to correspond to the lure query message.
Referring to claim 23, Stolfo discloses that the deception system identifies the use of the decoy usernames in order to identify attackers ([0100] & [0178]-[0179]), which meets the limitation of determining, by the network-connected storage device, that the one of the at least one incoming request message was transmitted by an attacking computer device. If the deception system identifies the user of decoy usernames, a notification can be transmitted ([0102] & [0149] & [0179]), which meets the limitation of wherein the attack remediation action is enabled with respect to the attacking computer device.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN E LANIER whose telephone number is (571)272-3805. The examiner can normally be reached M-Th: 5:30-4:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at 5712705143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BENJAMIN E LANIER/ Primary Examiner, Art Unit 2437