SYSTEM AND METHOD FOR DETECTING DIGITAL INTRUSION AND REDIRECTING TO SAFE ZONE IN REAL-TIME

§103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority No priority claims exist for the instant application. Therefore, the effective filing date of the claims will be 18 October 2022. Response to Arguments Applicant’s arguments, see page 19, filed 18 September 2025, with respect to the rejection of claims 16 and 32 under 35 U.S.C. 103—“Advanced analytics including IP bad actor checks, malware detection (with base64- encoded payloads), regional correlation against threat databases, and forensic reporting”, have been fully considered and are persuasive in light of the new claim amendments. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Costello et al. (US 2020/0220722 A1), Cohen et al. (US 2023/0006844 A1), Novick et al. (US 2020/0273040 A1), Moore et al. (US 2022/0021651 A1) and Williams, JR et al. (US 2015/0254555 A1). For a detailed analysis see the 35 U.S.C. 103 section below. Applicant's additional arguments filed 18 September 2025 have been fully considered but they are not persuasive. In response to applicant’s arguments that “Continuous and programmatic reprogramming of micro pulses and pulse values to resist brute-force and quantum-level attacks”, stated on page 19, the examiner respectfully disagrees. Costello discloses enabling the first component 60 to insert, or in other words, add a data authentication pulse of a specified frequency, amplitude and possibly dampening factor to a communication signal. First component 60 may, in other words, superimpose the data authentication pulse on top of at least one or more pulses of the communication signal to obtain the encrypted communication signal (Para. 38). The system may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack (Para. 78). Therefore, the combination of the cited prior art teaches the aforementioned limitation. In response to applicant’s arguments that “Integration of an unauthorized attempt detection module configured to deliver neutral or deceptive feedback while preserving a spoofed connection for intelligence gathering”, stated on page 19, the examiner respectfully disagrees. Cohen discloses if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Therefore, the combination of the cited prior art teaches the aforementioned limitation. In response to applicant’s arguments that “Redirection of intruders into reverse-phishing forensic environments and safe zones designed to collect origin, intent, and behavioral data”, stated on page 19, the examiner respectfully disagrees. Cohen discloses if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Therefore, the combination of the cited prior art teaches the aforementioned limitation. In response to applicant’s arguments that the cited prior art “neither teaches nor suggests the claimed approach of deliberately portraying incorrect authentication results and simultaneously prolonging the spoofed connection to collect forensic intelligence from the unauthorized user”, stated on page 20, the examiner respectfully disagrees. Cohen discloses if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Novick discloses if the analysis indicates that the current user of the device is not the genuine user, then, one or more fraud-stopping operations or additional authentication operations may be triggered and performed, for example, requiring the user to re-enter his password or pass-phrase or Personal Identification Number (PIN) (Para. 367). Therefore, the combination of the cited prior art teaches the aforementioned limitation. In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). In this case, Cohen the use of honeypot traps such as fake login interfaces in order to gain additional information. Novick discloses determining that a user is not a genuine user and then requiring the user to re-enter his password. The combination of the Costello and Cohen with Novick discloses a system that uses Cohen’s fake login interfaces with Novick’s requirement of re-entering a password. The combination would allow the system to gain additional intelligence such as additional keystroke information and provide the system with additional time to identify the malicious user and device. The addition of Novick does not teach away from the combination, nor does it change the principle of operation of Costello in view of Cohen. Therefore, the combination is valid. Drawings The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference characters not mentioned in the description: Figure 5 of the drawings includes multiple element numbers that do not coincide with the specification. The specification at paragraph 62 correlates element 504 with both the “validating” and “identifying” steps, step 506 with the “determining” step, step 508 with the next “identifying” step, step 510 with the “redirecting” step, step 512 with the “spoofing” step, step 514 with the “refusing” step, and step 516 with the “enabling” step. The specification does not include an element 518. Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance. Specification No issues have been found with the specification amendments filed 18 September 2025. Claim Objections Claims 4, 17, 20, and 28 are objected to because of the following informalities: Regarding claim 4, line 4—“the spoofed connection”, lacks sufficient antecedent basis for the claim. This objection may be overcome by amending line 4 to state --a spoofed connection--, for example. Regarding claim 17, lines 33-36—“synchronizing a pulse oracle continuously change…”, the phrase appears to be missing one or more words. This objection may be overcome by amending lines 33-36 to state --synchronizing a pulse oracle, the pulse oracle continuously changing--, for example. Regarding claim 17, line 38—“the safe zone”, lacks sufficient antecedent basis for the claim. This objection may be overcome by amending line 38 to state --a safe zone--, for example. Regarding claim 20, line 3—“the spoofed connection”, lacks sufficient antecedent basis for the claim. This objection may be overcome by amending line 3 to state --a spoofed connection--, for example. Regarding claim 28, line 3—“the spoofed connection”, lacks sufficient antecedent basis for the claim. This objection may be overcome by amending line 3 to state --a spoofed connection--, for example. Regarding claim 28, line 2—“the additional intelligence”, lacks sufficient antecedent basis for the claim. This objection may be overcome by amending line 3 to state --additional intelligence--, for example. Appropriate correction is required. Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph: An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are: “the unauthorized attempt detection module is configured to provide…” in claim 4. Because the claim limitation is being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it is being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. If applicant does not intend to have the limitation interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation to avoid it being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation recites sufficient structure to perform the claimed function so as to avoid it being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Regarding the “unauthorized attempt detection module” limitation listed above, the unauthorized attempt detection module is part of the pulse reader module 204 and the pulse reader module 204 is part of the pulse intrusion detection module 116 (see Fig. 1, el. 116; Fig. 2, el. 116, 204, 216). The pulse intrusion detection module 116 is stored within memory 114 (see Fig. 1, el. 114, 116). The unauthorized attempt detection module 216 may be configured to identify the digital intrusion of the unauthorized user during the in-process communication between the first computing device 102 and the third computing device 105. The unauthorized attempt detection module 216 may be configured to re-direct the unauthorized user to the safe zone for collecting/gathering the forensic data about the unauthorized user and their intent, origin. The unauthorized attempt detection module 216 may be configured to portray the unauthorized user that a password entered is wrong, and requests to try again (see Para. 47). The processor 112 includes the memory 114 may be configured to store the pulse intrusion detection module 116 on the first computing device 102 and the third computing device 105 (see Para. 34). The pulse intrusion detection module 116 is accessed as a mobile application, web application, and software that offers the functionality of accessing mobile applications and viewing/processing interactive pages (see Para. 35). Therefore, the aforementioned module limitation has structural support in the specification by virtue of the module including algorithm instructions that are stored in memory and executed by a processor. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 6 and 28 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Regarding claim 6, line 4—“a safe zone”, it is unclear as to whether “a safe zone” is referring to “a safe zone” of claim 1. For examination purposes, “a safe zone” of line 4 and claim 1 will be interpreted to be the same. In order to overcome this rejection, line 4 may be amended to state --the safe zone--, for example. Regarding claim 28, line 5—“forensic evidence”, it is unclear as to whether “forensic evidence” is referring to “forensic evidence” of claim 17. For examination purposes, “forensic evidence” of line 5 and claim 17 will be interpreted to be the same. In order to overcome this rejection, line 5 may be amended to state --the forensic evidence--, for example. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1, 4, 6, 9, 10, 12, 14, 15, 17, 20, 22, 25, 26, 28, 30, and 31 are rejected under 35 U.S.C. 103 as being unpatentable over Costello et al. (US 2020/0220722 A1) in view of Cohen et al. (US 2023/0006844 A1). Regarding claim 1, Costello teaches a system for detecting digital intrusion in real-time…, e.g., optical system 70 (Fig. 2, el. 70), comprising: a first computing device, e.g., controller 72 (Fig. 2, el. 72); first sensor 82 (Fig. 2, el. 82), and a third computing device, e.g., controller 72 (Fig. 2, el. 72); first sensor 82 (Fig. 2, el. 82), comprising a processor, e.g., processing circuitry 77 (Fig. 2, el. 77); processing circuitry 86 may include an MCU (Fig. 2, el. 86; Para. 52), a memory, e.g., controller 72 includes memory (Para. 49); an MCU includes a computer on a single integrated circuit containing a processor core, memory, and programmable input/output peripheral (Para. 49), and a pulse intrusion detection module, wherein the processor coupled with the memory configured to store a digital intrusion detection module, the pulse intrusion detection module comprises a pulse injector, a pulse reader, a pulse oracle, and a pulse data manager, e.g., XCVR 79 (Fig. 2, el. 79); XCVR 89 (Fig. 2, el. 89); XCVR 89 may transmit encrypted communication signal 204 (or 210) to XCVR 79, which may receive encrypted communication signal 204/210, wherein XCVR 79 may determine whether data authentication pulse 202 has been superimposed over at least one of the one or more pulses (Fig. 2, el. 202, 204, 210; Para. 70); XCVR 79 may perform authentication, based on the determination of whether the data authentication pulse has been superimposed over at least one of the one or more pulses of encrypted communication signal 204/210 (Para. 74); responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack (Para. 78); whereby the pulse injector configured to construct a set of micro pulses and corresponding values that are continuously and programmatically changeable into a pulse and the pulse is injected into at least one of: content; a document; and a communication thereby creating at least one of: a pulse protected content; a pulse-protected document; and a pulse-protected communication, e.g., XCVR 89 inserts these secondary digital signals 202 (data authentication pulses 202) into communication signal 200 to obtain encrypted communication signal 204 (Para. 66); an encrypted communication signal 210 that includes a start pulse 206 (which may be similar if not the same as secondary digital signals 202) followed by an 8-bit word in which two pulses include secondary digital signals 202A and 202B, and concluding with a stop pulse 208 (Fig. 9, el. 202A, 202B, 204, 206, 210; Para. 65); XCVR 89 may transmit encrypted communication signal 204 (or 210) to XCVR 79, which may receive encrypted communication signal 204/210, wherein XCVR 79 may determine whether data authentication pulse 202 has been superimposed over at least one of the one or more pulses (Para. 70); responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78); the pulse reader configured to remain in synchronization with the pulse injector, e.g., XCVR 89 may vary frequencies and amplitudes of data authentication pulses 202 according to a pseudo random sequence, and/or pulse location within communication signal 200 in which data authentication pulses 202 are inserted according to the pseudo random sequence (Para. 66); if the data frequencies and damping ratios are known in advance, a Goertzel-like approach may be more efficient for a small number of frequencies (Para. 73); both electrical transmitter 62 and electrical receiver 64 may be configured to identify which of the one or more pulses (are to, in the context of electrical transmitter 62) include the data authentication pulse according to a pseudo random sequence (and both electrical transmitter 62 and electrical receiver 64 use the same pseudo random sequence—e.g., by configuring both electrical transmitter 62 and electrical transmitter 64 with the same seed value) (Fig. 1, el. 62, 64; Para. 41), the pulse reader configured to validate the pulse of at least one of: a valid user; and an unauthorized user, e.g., XCVR 79 may perform authentication, based on the determination of whether the data authentication pulse has been superimposed over at least one of the one or more pulses of encrypted communication signal 204/210 (Para. 74); responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack (Para. 78); the pulse oracle configured to continuously and programmatically change the micro pulses and corresponding values to mitigate brute-force and quantum-level attacks, e.g., responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78), to generate forensic evidence, e.g., XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78); and …. Costello does not clearly teach redirecting to a safe zone; and to redirect the unauthorized user to the safe zone. Cohen teaches redirecting to a safe zone; and the…oracle configured…to redirect the unauthorized user to the safe zone, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include redirecting to a safe zone; and to redirect the unauthorized user to the safe zone, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, for the purpose of allowing the untrusted network device to be monitored while preventing the untrusted network device from performing any malicious activities to the network. Regarding claim 4, Costello in view of Cohen teaches the system of claim 1. Costello does not clearly teach wherein the pulse reader comprising an unauthorized attempt detection module is configured to provide neutral feedback or misleading responses, including portraying incorrect authentication results or prolonging the spoofed connection, upon considering an attempt deemed to be malicious. Cohen further teaches wherein the…reader comprising an unauthorized attempt detection module is configured to provide neutral feedback or misleading responses, including portraying incorrect authentication results or prolonging the spoofed connection, upon considering an attempt deemed to be malicious, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Examiner note: claim 4 indicates the two alternative options of providing neutral feedback or providing misleading responses. The “portraying incorrect authentication results or prolonging the spoofed connection” could be interpreted to be part of either option. The examiner suggests clarifying the claim language. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include wherein the pulse reader comprising an unauthorized attempt detection module is configured to provide neutral feedback or misleading responses, including portraying incorrect authentication results or prolonging the spoofed connection, upon considering an attempt deemed to be malicious, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, using the same motivation as in claim 1. Regarding claim 6, Costello in view of Cohen teaches the system of claim 1, wherein the processor executing instructions for an unauthorized attempt detection module is configured to re-direct the unauthorized user into a safe zone or virtual environment for gathering forensic data, intent, and origin, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Cohen-Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Cohen-Fig. 1, el. 120, 130; Para. 55). Regarding claim 9, Costello in view of Cohen teaches the system of claim 1, wherein the pulse oracle is configured to continuously rotate and reprogram the micro pulses and corresponding values in real-time to remove a progress of brute-force attacks, e.g., responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Costello-Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Costello-Para. 78). Regarding claim 10, Costello in view of Cohen teaches the system of claim 1, wherein the pulse oracle is configured to dynamically change the pulse in real-time to provide resilience against quantum-level attacks without impact on communication quality, e.g., XCVR 89 may vary frequencies and amplitudes of data authentication pulses 202 according to a pseudo random sequence, and/or pulse location within communication signal 200 in which data authentication pulses 202 are inserted according to the pseudo random sequence (Costello-Para. 66); XCVR 79 may decode, responsive to authenticating the one or more pulses as the valid representation of the data, the one or more pulses to obtain the data (Costello-Para. 74); responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Costello-Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Costello-Para. 78). Regarding claim 12, Costello in view of Cohen teaches the system of claim 1. Costello does not clearly teach wherein the pulse oracle comprising an information-gathering module is configured to request the additional intelligence from the unauthorized user as part of a spoofed connection strategy while maintaining a connection. Cohen further teaches wherein the pulse oracle comprising an information-gathering module is configured to request the additional intelligence from the unauthorized user as part of a spoofed connection strategy while maintaining a connection, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Cohen-Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Cohen-Fig. 1, el. 120, 130; Para. 55). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include wherein the pulse oracle comprising an information-gathering module is configured to request the additional intelligence from the unauthorized user as part of a spoofed connection strategy while maintaining a connection, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, using the same motivation as in claim 1. Regarding claim 14, Costello in view of Cohen teaches the system of claim 1. Costello does not clearly teach wherein the processor executing instructions for a redirecting module of the pulse intrusion detection module is configured to re-direct the unauthorized user into a reverse-phishing virtual environment intended to run forensic analysis and capture forensic data on the unauthorized user's origin and intent. Cohen further teaches wherein the processor, e.g., Client device 110, malicious device 120, and/or service provider server 130 may each include one or more processors, memories, and other appropriate components for executing instructions (Cohen-Para. 23), executing instructions for a redirecting module of the…intrusion detection module is configured to re-direct the unauthorized user into a reverse-phishing virtual environment intended to run forensic analysis and capture forensic data on the unauthorized user's origin and intent, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Cohen-Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Cohen-Fig. 1, el. 120, 130; Para. 55). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include wherein the processor executing instructions for a redirecting module of the pulse intrusion detection module is configured to re-direct the unauthorized user into a reverse-phishing virtual environment intended to run forensic analysis and capture forensic data on the unauthorized user's origin and intent, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, using the same motivation as in claim 1. Regarding claim 15, Costello in view of Cohen teaches the system of claim 1, wherein the processor executing instructions for an analytics module of the pulse intrusion detection module is configured to perform analytics to identify additional intelligence about the unauthorized user, e.g., responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Costello-Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Costello-Para. 78); Also note Cohen discloses at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93), and if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Regarding claim 17, Costello teaches a method for detecting digital intrusion and…, comprising: constructing a set of dynamically reprogrammable micro pulses and corresponding values into a pulse and injecting into content, a document, or a communication, e.g., XCVR 89 inserts these secondary digital signals 202 (data authentication pulses 202) into communication signal 200 to obtain encrypted communication signal 204 (Para. 66); an encrypted communication signal 210 that includes a start pulse 206 (which may be similar if not the same as secondary digital signals 202) followed by an 8-bit word in which two pulses include secondary digital signals 202A and 202B, and concluding with a stop pulse 208 (Fig. 9, el. 202A, 202B, 204, 206, 210; Para. 65); XCVR 89 may transmit encrypted communication signal 204 (or 210) to XCVR 79, which may receive encrypted communication signal 204/210, wherein XCVR 79 may determine whether data authentication pulse 202 has been superimposed over at least one of the one or more pulses (Para. 70); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78); enabling a pulse reader, e.g., XCVR 79 (Fig. 2, el. 79); XCVR 89 (Fig. 2, el. 89), to validate the pulse of a valid user or unauthorized user, e.g., XCVR 79 may perform authentication, based on the determination of whether the data authentication pulse has been superimposed over at least one of the one or more pulses of encrypted communication signal 204/210 (Para. 74); responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack (Para. 78); synchronizing the pulse injector with the pulse reader to detect unauthorized access attempts, e.g., XCVR 79 may perform authentication, based on the determination of whether the data authentication pulse has been superimposed over at least one of the one or more pulses of encrypted communication signal 204/210 (Para. 74); responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack (Para. 78); determining whether the pulses are valid or appear in a bad actor list;, e.g., XCVR 79 may perform authentication, based on the determination of whether the data authentication pulse has been superimposed over at least one of the one or more pulses of encrypted communication signal 204/210 (Para. 74); responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78); synchronizing a pulse oracle continuously change the micro pulses and values, e.g., responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78); to generate forensic evidence, e.g., XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78); refuse unauthorized access, e.g., responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78); assuming valid authentication of encrypted communication signal 204′, signal processing and decryption unit 402 may output communication signal 200′ to decoding unit 404, which may perform additional decoding to obtain the underlying data (Fig. 10, el. 200’, 204’, 402, 404; Para. 83), and …. Costello does not clearly teach redirecting to a reverse-phishing area to spoof authentication in real-time; and to redirect the unauthorized user to the safe zone for spoof authentication. Cohen teaches redirecting to a reverse-phishing area to spoof authentication in real-time, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55); and to redirect the unauthorized user to the safe zone for spoof authentication, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include redirecting to a reverse-phishing area to spoof authentication in real-time, and to redirect the unauthorized user to the safe zone for spoof authentication, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, for the purpose of allowing the untrusted network device to be monitored while preventing the untrusted network device from performing any malicious activities to the network. Regarding claim 20, Costello in view of Cohen teaches the method of claim 17. Costello does not clearly teach a step of providing neutral or deceptive feedback designed to prolong the spoofed connection upon detecting a malicious attempt. Cohen further teaches a step of providing neutral or deceptive feedback designed to prolong the spoofed connection upon detecting a malicious attempt, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Examiner note: claim 20 indicates the two alternative options of providing neutral feedback or providing deceptive feedback. The “designed to prolong the spoofed connection upon detecting a malicious attempt” could be interpreted to be part of either option. The examiner suggests clarifying the claim language. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include a step of providing neutral or deceptive feedback designed to prolong the spoofed connection upon detecting a malicious attempt, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, using the same motivation as in claim 17. Regarding claim 22, Costello in view of Cohen teaches the method of claim 17, comprising a step of re-directing the unauthorized user into a forensic deception environment for intelligence gathering, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Cohen-Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Cohen-Fig. 1, el. 120, 130; Para. 55). Regarding claim 25, Costello in view of Cohen teaches the method of claim 17, comprising a step of continuously rotating and reprogramming the micro pulses and values to nullify brute-force, automated guessing, and emerging advanced attacks, e.g., responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Costello-Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Costello-Para. 78). Regarding claim 26, Costello in view of Cohen teaches the method of claim 17, comprising a step of mutating the pulse content in real-time to resist quantum-level attacks without degrading communication quality, e.g., XCVR 89 may vary frequencies and amplitudes of data authentication pulses 202 according to a pseudo random sequence, and/or pulse location within communication signal 200 in which data authentication pulses 202 are inserted according to the pseudo random sequence (Costello-Para. 66); XCVR 79 may decode, responsive to authenticating the one or more pulses as the valid representation of the data, the one or more pulses to obtain the data (Costello-Para. 74); responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Costello-Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Costello-Para. 78). Regarding claim 28, Costello in view of Cohen teaches the method of claim 17. Costello does not clearly teach a step of requesting the additional intelligence from the unauthorized user through controlled deceptive interaction thereby maintaining the spoofed connection to gather forensic evidence. Cohen further teaches a step of requesting the additional intelligence from the unauthorized user through controlled deceptive interaction thereby maintaining the spoofed connection to gather forensic evidence, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Cohen-Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Cohen-Fig. 1, el. 120, 130; Para. 55). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include a step of requesting the additional intelligence from the unauthorized user through controlled deceptive interaction thereby maintaining the spoofed connection to gather forensic evidence, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, using the same motivation as in claim 17. Regarding claim 30, Costello in view of Cohen teaches the method of claim 17. Costello does not clearly teach a step of re-directing the unauthorized user into a reverse-phishing virtual environment to analyze origin, intent, and attack behaviour. Cohen further teaches a step of re-directing the unauthorized user into a reverse-phishing virtual environment to analyze origin, intent, and attack behaviour, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Cohen-Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Cohen-Fig. 1, el. 120, 130; Para. 55). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include a step of re-directing the unauthorized user into a reverse-phishing virtual environment to analyze origin, intent, and attack behaviour, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, using the same motivation as in claim 17. Regarding claim 31, Costello in view of Cohen teaches the method of claim 17, comprising a step of performing analytics to identify the additional intelligence about the unauthorized user by the processor executing instructions for an analytics module, e.g., responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Costello-Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Costello-Para. 78); Also note Cohen discloses at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93) and if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Claims 7 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Costello in view of Cohen and further in view of Novick et al. (US 2020/0273040 A1). Regarding claim 7, Costello in view of Cohen teaches the system of claim 1. Costello does not clearly teach wherein the processor executing instructions for an unauthorized attempt detection module is configured to portray the unauthorized user that a password entered is wrong, and request retries, and thereby collect forensic intelligence through deceptive interaction. Cohen further teaches wherein the processor executing instructions for an unauthorized attempt detection module is configured to…thereby collect forensic intelligence through deceptive interaction, at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Cohen-Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Cohen-Fig. 1, el. 120, 130; Para. 55). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include wherein the processor executing instructions for an unauthorized attempt detection module is configured to thereby collect forensic intelligence through deceptive interaction, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, using the same motivation as in claim 1. Costello in view of Cohen does not clearly teach wherein the processor executing instructions for an unauthorized attempt detection module is configured to portray the unauthorized user that a password entered is wrong, and request retries, and thereby collect forensic intelligence through deceptive interaction. Novick teaches wherein the unauthorized attempt detection module is configured to portray the unauthorized user that a password entered is wrong, and requests to try again, e.g., if the analysis indicates that the current user of the device is not the genuine user, then, one or more fraud-stopping operations or additional authentication operations may be triggered and performed, for example, requiring the user to re-enter his password or pass-phrase or Personal Identification Number (PIN) (Para. 367). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello in view of Cohen to include wherein the unauthorized attempt detection module is configured to portray the unauthorized user that a password entered is wrong, and requests to try again, using the known method of requiring the user to re-enter his password if the analysis indicates that the current user is not the genuine user, as taught by Novick, in combination with the pulse protection system of Costello in view of Cohen, for the purpose of collecting additional fraudulent password data. Regarding claim 23, Costello in view of Cohen teaches the method of claim 17. Costello does not clearly teach a step of portraying the unauthorized user that a password entered is wrong, and requesting retries, and collecting intelligence through the repeated interaction. Cohen further teaches …collecting intelligence through the repeated interaction, at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Cohen-Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Cohen-Fig. 1, el. 120, 130; Para. 55). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include collecting intelligence through the repeated interaction, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, using the same motivation as in claim 17. Costello in view of Cohen does not clearly teach a step of portraying the unauthorized user that a password entered is wrong, and requesting retries, and collecting intelligence through the repeated interaction. Novick teaches a step of portraying the unauthorized user that a password entered is wrong, and requesting retries, and collecting intelligence through the repeated interaction, e.g., if the analysis indicates that the current user of the device is not the genuine user, then, one or more fraud-stopping operations or additional authentication operations may be triggered and performed, for example, requiring the user to re-enter his password or pass-phrase or Personal Identification Number (PIN) (Para. 367). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello in view of Cohen to include a step of portraying the unauthorized user that a password entered is wrong, and requesting retries, and collecting intelligence through the repeated interaction, using the known method of requiring the user to re-enter his password if the analysis indicates that the current user is not the genuine user, as taught by Novick, in combination with the pulse protection system of Costello in view of Cohen, for the purpose of collecting additional fraudulent password data. Claims 16 and 32 are rejected under 35 U.S.C. 103 as being unpatentable over Costello in view of Cohen in view of Novick in view of Moore et al. (US 2022/0021651 A1) and further in view of Williams, JR et al. (US 2015/0254555 A1). Regarding claim 16, Costello in view of Cohen teaches the system of claim 15. Costello does not clearly teach wherein the processor executing instructions for the analytics module is configured to compare Internet Protocol (IP) addresses to a bad-actors list, correlate regional origin information against known threat databases, detect base64-encoded malware, and generate forensic intelligence reports on unauthorized user activity. Cohen further teaches wherein the processor executing instructions for the analytics module is configured to compare Internet Protocol (IP) addresses to a bad-actors list…generate forensic intelligence reports on unauthorized user activity, e.g., information from computing logs and the like may be analyzed for these logins, such as to determine device identifiers, IP addresses, and the like to identify fraudsters (Cohen-Para. 18); at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Cohen-Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Cohen-Fig. 1, el. 120, 130; Para. 55). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include wherein the processor executing instructions for the analytics module is configured to compare Internet Protocol (IP) addresses to a bad-actors list, and generate forensic intelligence reports on unauthorized user activity, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, using the same motivation as in claim 1. Costello in view of Cohen does not clearly teach wherein the processor executing instructions for the analytics module is configured to compare Internet Protocol (IP) addresses to a bad-actors list, correlate regional origin information against known threat databases, detect base64-encoded malware, and generate forensic intelligence reports on unauthorized user activity. Novick teaches wherein the processor, e.g., processor 111 (Fig. 1, el. 111), executing instructions for the analytics module, e.g., IP Spoofing/Proxy Server Detector module 175 (Fig. 1, el. 175), is configured to compare Internet Protocol (IP) addresses to a bad-actors list, correlate regional origin information against…databases,…, e.g., the system may detect that the bank account of victim Victor, particularly during the usage session in which the wire transferred was commanded, was controlled by an end-user device that performed IP address spoofing, for example, based on lags or delays or latency that are detected in the communication channel (e.g., the spoofed IP address is a nearby IP address in the same country as the bank server computer, but a Ping time indicates a far-away end-user-device in a far country), and/or by using a Bogon Filtering mechanism (e.g., detecting a bogus/fake IP address that is not in any range allocated by the Internet Assigned Numbers Authority (IANA) or by a delegated Regional Internet Registry (RIR) for public Internet use) (Para. 71); and generate forensic intelligence reports on unauthorized user activity, e.g., based on such detection, and by detecting that a wire transfer was performed during the Remote Access usage session from the remotely-controlled bank account to the recipient account, an IP-Spoofing-Based Mule-Account Detector module 176 determines that the bank account of the recipient (Bob in this example) is actually a Mule bank account, and generates a mule account notification with regard to that bank account, and triggers a fraud mitigation process (Para. 71). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello in view of Cohen to include wherein the processor executing instructions for the analytics module is configured to compare Internet Protocol (IP) addresses to a bad-actors list, correlate regional origin information against databases, and generate forensic intelligence reports on unauthorized user activity, using the known method of detecting a bogus/fake IP address that is not in any range allocated by the IANA or by a delegated Regional Internet Registry (RIR) for public Internet use, as taught by Novick, in combination with the pulse protection system of Costello in view of Cohen, for the purpose of improving the security of the system by detecting fake IP addresses that are not in any regional approved IP address database. Costello in view of Cohen in view of Novick does not clearly teach wherein the processor executing instructions for the analytics module is configured to compare Internet Protocol (IP) addresses to a bad-actors list, correlate regional origin information against known threat databases, detect base64-encoded malware, and generate forensic intelligence reports on unauthorized user activity. Moore teaches wherein the processor executing instructions for the analytics module is configured to compare Internet Protocol (IP) addresses to a bad-actors list, correlate regional origin information against known threat databases,…, and generate forensic intelligence reports on unauthorized user activity, e.g., the identification of communications that are associated with Internet threats may leverage databases of cyber threat intelligence (CTI) reports that are available from many CTI provider organizations, wherein these CTI reports may include indicators, or threat indicators, or Indicators-of-Compromise (IoCs), that are unique identifiers of Internet hosts or Internet hosts' resources that are associated with malicious activity, wherein the CTI indicators may include Internet network addresses—in the form of IP addresses, hostnames/domain names, URIs, and the like—of resources that may be controlled and/or operated by threat actors, or that otherwise may be associated with malicious activity, wherein in addition to threat indicators, CTI reports may include additional information associated with the threat, such as the type of threat, threat attribution and threat actor(s), characteristic behaviors, attack targets, geographic and geo-political information, and the like (Para. 32); the enterprise may create policies composed of packet-filtering rules derived from the CTI indicators, configure packet filtering devices with the policies, and protect its enterprise networks from Internet threats (Para. 33). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello in view of Cohen in view of Novick to include wherein the processor executing instructions for the analytics module is configured to compare Internet Protocol (IP) addresses to a bad-actors list, correlate regional origin information against known threat databases, and generate forensic intelligence reports on unauthorized user activity, using the known method of creating policies from CTI indicators, wherein the CTI indicators include threat information such as IP addresses and geographic information and wherein the CTI indicators be provided from multiple databases, as taught by Moore, in combination with the pulse protection system of Costello in view of Cohen in view of Novick, for the purpose of improving the security of the system by utilizing multiple CTI databases. Costello in view of Cohen in view of Novick in view of Moore does not clearly teach wherein the processor executing instructions for the analytics module is configured to compare Internet Protocol (IP) addresses to a bad-actors list, correlate regional origin information against known threat databases, detect base64-encoded malware, and generate forensic intelligence reports on unauthorized user activity. Williams, JR teaches wherein the processor executing instructions for the analytics module, e.g., these program instructions may be provided to a processor to produce a machine, such that the instructions, which execute on the processor, create means for implementing the actions specified in the flowchart block or blocks (Para. 151), is configured to…detect base64-encoded malware, and generate forensic intelligence reports on unauthorized user activity, e.g., FIG. 12 is a table diagram showing the sample results of a real-time scoring of website files being analyzed for malicious code, wherein a Base64 type of exploit was detected (Fig. 12; Para. 164). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello in view of Cohen in view of Novick in view of Moore to include wherein the processor executing instructions for the analytics module is configured to detect base64-encoded malware, and generate forensic intelligence reports on unauthorized user activity, using the known method of detecting a Base64 type of exploit, as taught by Williams, JR, in combination with the pulse protection system of Costello in view of Cohen in view of Novick in view of Moore, for the purpose of improving the security of the system by detecting a Base64 type of exploit. Regarding claim 32, Costello in view of Cohen teaches the method of claim 17. Costello does not clearly teach a step of combining multiple analytics by the processor executing instructions for an analytics module, the analytics including IP bad actor check, region correlation, base64 encoded malware detection and threat database comparison, and redirecting the unauthorized user to the safe zone for intelligence gathering. Cohen further teaches a step of combining multiple analytics by the processor executing instructions for an analytics module, the analytics including IP bad actor check,…and redirecting the unauthorized user to the safe zone for intelligence gathering, e.g., information from computing logs and the like may be analyzed for these logins, such as to determine device identifiers, IP addresses, and the like to identify fraudsters (Cohen-Para. 18); at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Cohen-Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Cohen-Fig. 1, el. 120, 130; Para. 55). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include a step of combining multiple analytics by the processor executing instructions for an analytics module, the analytics including IP bad actor check, region correlation, and redirecting the unauthorized user to the safe zone for intelligence gathering, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, using the same motivation as in claim 17. Costello in view of Cohen does not clearly teach a step of combining multiple analytics by the processor executing instructions for an analytics module, the analytics including IP bad actor check, region correlation, base64 encoded malware detection and threat database comparison, and redirecting the unauthorized user to the safe zone for intelligence gathering. Novick teaches a step of combining multiple analytics by the processor executing instructions for an analytics module, e.g., IP Spoofing/Proxy Server Detector module 175 (Fig. 1, el. 175), the analytics including IP bad actor check, region correlation, and…database comparison, and redirecting the unauthorized user to the safe zone for intelligence gathering, e.g., the system may detect that the bank account of victim Victor, particularly during the usage session in which the wire transferred was commanded, was controlled by an end-user device that performed IP address spoofing, for example, based on lags or delays or latency that are detected in the communication channel (e.g., the spoofed IP address is a nearby IP address in the same country as the bank server computer, but a Ping time indicates a far-away end-user-device in a far country), and/or by using a Bogon Filtering mechanism (e.g., detecting a bogus/fake IP address that is not in any range allocated by the Internet Assigned Numbers Authority (IANA) or by a delegated Regional Internet Registry (RIR) for public Internet use) (Para. 71); and generate forensic intelligence reports on unauthorized user activity, e.g., based on such detection, and by detecting that a wire transfer was performed during the Remote Access usage session from the remotely-controlled bank account to the recipient account, an IP-Spoofing-Based Mule-Account Detector module 176 determines that the bank account of the recipient (Bob in this example) is actually a Mule bank account, and generates a mule account notification with regard to that bank account, and triggers a fraud mitigation process (Para. 71). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello in view of Cohen to include a step of combining multiple analytics by the processor executing instructions for an analytics module, the analytics including IP bad actor check, region correlation, and database comparison, and redirecting the unauthorized user to the safe zone for intelligence gathering, using the known method of detecting a bogus/fake IP address that is not in any range allocated by the IANA or by a delegated Regional Internet Registry (RIR) for public Internet use, as taught by Novick, in combination with the pulse protection system of Costello in view of Cohen, for the purpose of improving the security of the system by detecting fake IP addresses that are not in any regional approved IP address database. Costello in view of Cohen in view of Novick does not clearly teach a step of combining multiple analytics by the processor executing instructions for an analytics module, the analytics including IP bad actor check, region correlation, base64 encoded malware detection and threat database comparison, and redirecting the unauthorized user to the safe zone for intelligence gathering. Moore teaches a step of combining multiple analytics by the processor executing instructions for an analytics module, the analytics including IP bad actor check, region correlation,…and threat database comparison, and redirecting the unauthorized user to the safe zone for intelligence gathering, e.g., the identification of communications that are associated with Internet threats may leverage databases of cyber threat intelligence (CTI) reports that are available from many CTI provider organizations, wherein these CTI reports may include indicators, or threat indicators, or Indicators-of-Compromise (IoCs), that are unique identifiers of Internet hosts or Internet hosts' resources that are associated with malicious activity, wherein the CTI indicators may include Internet network addresses—in the form of IP addresses, hostnames/domain names, URIs, and the like—of resources that may be controlled and/or operated by threat actors, or that otherwise may be associated with malicious activity, wherein in addition to threat indicators, CTI reports may include additional information associated with the threat, such as the type of threat, threat attribution and threat actor(s), characteristic behaviors, attack targets, geographic and geo-political information, and the like (Para. 32); the enterprise may create policies composed of packet-filtering rules derived from the CTI indicators, configure packet filtering devices with the policies, and protect its enterprise networks from Internet threats (Para. 33). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello in view of Cohen in view of Novick to include a step of combining multiple analytics by the processor executing instructions for an analytics module, the analytics including IP bad actor check, region correlation, and threat database comparison, and redirecting the unauthorized user to the safe zone for intelligence gathering, using the known method of creating policies from CTI indicators, wherein the CTI indicators include threat information such as IP addresses and geographic information and wherein the CTI indicators be provided from multiple databases, as taught by Moore, in combination with the pulse protection system of Costello in view of Cohen in view of Novick, for the purpose of improving the security of the system by utilizing multiple CTI databases. Costello in view of Cohen in view of Novick in view of Moore does not clearly teach a step of combining multiple analytics by the processor executing instructions for an analytics module, the analytics including IP bad actor check, region correlation, base64 encoded malware detection and threat database comparison, and redirecting the unauthorized user to the safe zone for intelligence gathering. Williams, JR teaches a step of combining multiple analytics by the processor executing instructions for an analytics module, e.g., these program instructions may be provided to a processor to produce a machine, such that the instructions, which execute on the processor, create means for implementing the actions specified in the flowchart block or blocks (Para. 151), the analytics including base64 encoded malware detection, e.g., FIG. 12 is a table diagram showing the sample results of a real-time scoring of website files being analyzed for malicious code, wherein a Base64 type of exploit was detected (Fig. 12; Para. 164). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello in view of Cohen in view of Novick in view of Moore to include a step of combining multiple analytics by the processor executing instructions for an analytics module, the analytics including IP bad actor check, region correlation, base64 encoded malware detection and threat database comparison, and redirecting the unauthorized user to the safe zone for intelligence gathering, using the known method of detecting a Base64 type of exploit, as taught by Williams, JR, in combination with the pulse protection system of Costello in view of Cohen in view of Novick in view of Moore, for the purpose of improving the security of the system by detecting a Base64 type of exploit. Relevant Prior Art The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. McConnell (US 2008/0004805 A1)—McConnell discloses a network-based system 120 includes threat database 122, which may contain Intrusion Detection System ("IDS") or Firewall logs identifying a threat in the system. For example, IDS or Firewall logs may contain the attack type, description, and impacted GPS device information such as an IP Address of the impacted GPS device. In addition, GPS device 140 is capable of providing information such as the IP address and geographic coordinates (e.g., latitude and longitude) of the device. Finally, mapping system 150 includes mapping database 152, which may correlate and contain data from threat database and GPS device(s), as described below, to map the intrusion(s) (Para. 38). Isola et al. (US 2019/0036926 A1)—Isola discloses logically disabling or blocking an endpoint device 106 may involve rerouting data traffic associated with the endpoint device 106 to a safe zone, wherein transferring the traffic associated with the endpoint device 106 to the safe zone allows the endpoint device 106 to be monitored and recorded in a low-risk environment without jeopardizing the system 100 and communications network 102 (Para. 45). Ding (CN 105681323 B)—Ding discloses an information hiding type wireless transmission method based on time reversal, belonging to the electronic technical field. The invention emits broadband narrow pulse A (t), the processed time domain cloak signal C (t) to obtain the pulse or pulse train S code (t), synthesizing one signal Y (t) and C (t). S (t) and C (t) is time interval is Δ t, Y (t) into the first reverberation chamber, which is processed to form a new signal Z (t) (Abstract). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMY DUFFIELD whose telephone number is (571)270-1643. The examiner can normally be reached Monday - Friday, 7:00 AM - 3:00 PM (ET). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached at (571) 272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 12 December 2025 /Jeremy S Duffield/Primary Examiner, Art Unit 2498