SYSTEM AND METHOD FOR DETECTING DIGITAL INTRUSION AND REDIRECTING TO SAFE ZONE IN REAL-TIME

§103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority No priority claims exist for the instant application. Therefore, the effective filing date of the claims will be 18 October 2022. Response to Arguments Applicant’s arguments, see page 19, filed 18 September 2025, with respect to the rejection of claims 16 and 32 under 35 U.S.C. 103—“Advanced analytics including IP bad actor checks, malware detection (with base64- encoded payloads), regional correlation against threat databases, and forensic reporting”, have been fully considered and are persuasive in light of the new claim amendments. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Costello et al. (US 2020/0220722 A1), Cohen et al. (US 2023/0006844 A1), Novick et al. (US 2020/0273040 A1), Moore et al. (US 2022/0021651 A1) and Williams, JR et al. (US 2015/0254555 A1). For a detailed analysis see the 35 U.S.C. 103 section below. Applicant's additional arguments filed 18 September 2025 have been fully considered but they are not persuasive. In response to applicant’s arguments that “Continuous and programmatic reprogramming of micro pulses and pulse values to resist brute-force and quantum-level attacks”, stated on page 19, the examiner respectfully disagrees. Costello discloses enabling the first component 60 to insert, or in other words, add a data authentication pulse of a specified frequency, amplitude and possibly dampening factor to a communication signal. First component 60 may, in other words, superimpose the data authentication pulse on top of at least one or more pulses of the communication signal to obtain the encrypted communication signal (Para. 38). The system may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack (Para. 78). Therefore, the combination of the cited prior art teaches the aforementioned limitation. In response to applicant’s arguments that “Integration of an unauthorized attempt detection module configured to deliver neutral or deceptive feedback while preserving a spoofed connection for intelligence gathering”, stated on page 19, the examiner respectfully disagrees. Cohen discloses if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Therefore, the combination of the cited prior art teaches the aforementioned limitation. In response to applicant’s arguments that “Redirection of intruders into reverse-phishing forensic environments and safe zones designed to collect origin, intent, and behavioral data”, stated on page 19, the examiner respectfully disagrees. Cohen discloses if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Therefore, the combination of the cited prior art teaches the aforementioned limitation. In response to applicant’s arguments that the cited prior art “neither teaches nor suggests the claimed approach of deliberately portraying incorrect authentication results and simultaneously prolonging the spoofed connection to collect forensic intelligence from the unauthorized user”, stated on page 20, the examiner respectfully disagrees. Cohen discloses if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Novick discloses if the analysis indicates that the current user of the device is not the genuine user, then, one or more fraud-stopping operations or additional authentication operations may be triggered and performed, for example, requiring the user to re-enter his password or pass-phrase or Personal Identification Number (PIN) (Para. 367). Therefore, the combination of the cited prior art teaches the aforementioned limitation. In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). In this case, Cohen the use of honeypot traps such as fake login interfaces in order to gain additional information. Novick discloses determining that a user is not a genuine user and then requiring the user to re-enter his password. The combination of the Costello and Cohen with Novick discloses a system that uses Cohen’s fake login interfaces with Novick’s requirement of re-entering a password. The combination would allow the system to gain additional intelligence such as additional keystroke information and provide the system with additional time to identify the malicious user and device. The addition of Novick does not teach away from the combination, nor does it change the principle of operation of Costello in view of Cohen. Therefore, the combination is valid. Drawings The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference characters not mentioned in the description: Figure 5 of the drawings includes multiple element numbers that do not coincide with the specification. The specification at paragraph 62 correlates element 504 with both the “validating” and “identifying” steps, step 506 with the “determining” step, step 508 with the next “identifying” step, step 510 with the “redirecting” step, step 512 with the “spoofing” step, step 514 with the “refusing” step, and step 516 with the “enabling” step. The specification does not include an element 518. Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance. Specification No issues have been found with the specification amendments filed 18 September 2025. Claim Objections Claims 4, 17, 20, and 28 are objected to because of the following informalities: Regarding claim 4, line 4—“the spoofed connection”, lacks sufficient antecedent basis for the claim. This objection may be overcome by amending line 4 to state --a spoofed connection--, for example. Regarding claim 17, lines 33-36—“synchronizing a pulse oracle continuously change…”, the phrase appears to be missing one or more words. This objection may be overcome by amending lines 33-36 to state --synchronizing a pulse oracle, the pulse oracle continuously changing--, for example. Regarding claim 17, line 38—“the safe zone”, lacks sufficient antecedent basis for the claim. This objection may be overcome by amending line 38 to state --a safe zone--, for example. Regarding claim 20, line 3—“the spoofed connection”, lacks sufficient antecedent basis for the claim. This objection may be overcome by amending line 3 to state --a spoofed connection--, for example. Regarding claim 28, line 3—“the spoofed connection”, lacks sufficient antecedent basis for the claim. This objection may be overcome by amending line 3 to state --a spoofed connection--, for example. Regarding claim 28, line 2—“the additional intelligence”, lacks sufficient antecedent basis for the claim. This objection may be overcome by amending line 3 to state --additional intelligence--, for example. Appropriate correction is required. Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph: An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are: “the unauthorized attempt detection module is configured to provide…” in claim 4. Because the claim limitation is being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it is being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. If applicant does not intend to have the limitation interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation to avoid it being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation recites sufficient structure to perform the claimed function so as to avoid it being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Regarding the “unauthorized attempt detection module” limitation listed above, the unauthorized attempt detection module is part of the pulse reader module 204 and the pulse reader module 204 is part of the pulse intrusion detection module 116 (see Fig. 1, el. 116; Fig. 2, el. 116, 204, 216). The pulse intrusion detection module 116 is stored within memory 114 (see Fig. 1, el. 114, 116). The unauthorized attempt detection module 216 may be configured to identify the digital intrusion of the unauthorized user during the in-process communication between the first computing device 102 and the third computing device 105. The unauthorized attempt detection module 216 may be configured to re-direct the unauthorized user to the safe zone for collecting/gathering the forensic data about the unauthorized user and their intent, origin. The unauthorized attempt detection module 216 may be configured to portray the unauthorized user that a password entered is wrong, and requests to try again (see Para. 47). The processor 112 includes the memory 114 may be configured to store the pulse intrusion detection module 116 on the first computing device 102 and the third computing device 105 (see Para. 34). The pulse intrusion detection module 116 is accessed as a mobile application, web application, and software that offers the functionality of accessing mobile applications and viewing/processing interactive pages (see Para. 35). Therefore, the aforementioned module limitation has structural support in the specification by virtue of the module including algorithm instructions that are stored in memory and executed by a processor. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 6 and 28 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Regarding claim 6, line 4—“a safe zone”, it is unclear as to whether “a safe zone” is referring to “a safe zone” of claim 1. For examination purposes, “a safe zone” of line 4 and claim 1 will be interpreted to be the same. In order to overcome this rejection, line 4 may be amended to state --the safe zone--, for example. Regarding claim 28, line 5—“forensic evidence”, it is unclear as to whether “forensic evidence” is referring to “forensic evidence” of claim 17. For examination purposes, “forensic evidence” of line 5 and claim 17 will be interpreted to be the same. In order to overcome this rejection, line 5 may be amended to state --the forensic evidence--, for example. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1, 4, 6, 9, 10, 12, 14, 15, 17, 20, 22, 25, 26, 28, 30, and 31 are rejected under 35 U.S.C. 103 as being unpatentable over Costello et al. (US 2020/0220722 A1) in view of Cohen et al. (US 2023/0006844 A1). Regarding claim 1, Costello teaches a system for detecting digital intrusion in real-time…, e.g., optical system 70 (Fig. 2, el. 70), comprising: a first computing device, e.g., controller 72 (Fig. 2, el. 72); first sensor 82 (Fig. 2, el. 82), and a third computing device, e.g., controller 72 (Fig. 2, el. 72); first sensor 82 (Fig. 2, el. 82), comprising a processor, e.g., processing circuitry 77 (Fig. 2, el. 77); processing circuitry 86 may include an MCU (Fig. 2, el. 86; Para. 52), a memory, e.g., controller 72 includes memory (Para. 49); an MCU includes a computer on a single integrated circuit containing a processor core, memory, and programmable input/output peripheral (Para. 49), and a pulse intrusion detection module, wherein the processor coupled with the memory configured to store a digital intrusion detection module, the pulse intrusion detection module comprises a pulse injector, a pulse reader, a pulse oracle, and a pulse data manager, e.g., XCVR 79 (Fig. 2, el. 79); XCVR 89 (Fig. 2, el. 89); XCVR 89 may transmit encrypted communication signal 204 (or 210) to XCVR 79, which may receive encrypted communication signal 204/210, wherein XCVR 79 may determine whether data authentication pulse 202 has been superimposed over at least one of the one or more pulses (Fig. 2, el. 202, 204, 210; Para. 70); XCVR 79 may perform authentication, based on the determination of whether the data authentication pulse has been superimposed over at least one of the one or more pulses of encrypted communication signal 204/210 (Para. 74); responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack (Para. 78); whereby the pulse injector configured to construct a set of micro pulses and corresponding values that are continuously and programmatically changeable into a pulse and the pulse is injected into at least one of: content; a document; and a communication thereby creating at least one of: a pulse protected content; a pulse-protected document; and a pulse-protected communication, e.g., XCVR 89 inserts these secondary digital signals 202 (data authentication pulses 202) into communication signal 200 to obtain encrypted communication signal 204 (Para. 66); an encrypted communication signal 210 that includes a start pulse 206 (which may be similar if not the same as secondary digital signals 202) followed by an 8-bit word in which two pulses include secondary digital signals 202A and 202B, and concluding with a stop pulse 208 (Fig. 9, el. 202A, 202B, 204, 206, 210; Para. 65); XCVR 89 may transmit encrypted communication signal 204 (or 210) to XCVR 79, which may receive encrypted communication signal 204/210, wherein XCVR 79 may determine whether data authentication pulse 202 has been superimposed over at least one of the one or more pulses (Para. 70); responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78); the pulse reader configured to remain in synchronization with the pulse injector, e.g., XCVR 89 may vary frequencies and amplitudes of data authentication pulses 202 according to a pseudo random sequence, and/or pulse location within communication signal 200 in which data authentication pulses 202 are inserted according to the pseudo random sequence (Para. 66); if the data frequencies and damping ratios are known in advance, a Goertzel-like approach may be more efficient for a small number of frequencies (Para. 73); both electrical transmitter 62 and electrical receiver 64 may be configured to identify which of the one or more pulses (are to, in the context of electrical transmitter 62) include the data authentication pulse according to a pseudo random sequence (and both electrical transmitter 62 and electrical receiver 64 use the same pseudo random sequence—e.g., by configuring both electrical transmitter 62 and electrical transmitter 64 with the same seed value) (Fig. 1, el. 62, 64; Para. 41), the pulse reader configured to validate the pulse of at least one of: a valid user; and an unauthorized user, e.g., XCVR 79 may perform authentication, based on the determination of whether the data authentication pulse has been superimposed over at least one of the one or more pulses of encrypted communication signal 204/210 (Para. 74); responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack (Para. 78); the pulse oracle configured to continuously and programmatically change the micro pulses and corresponding values to mitigate brute-force and quantum-level attacks, e.g., responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78), to generate forensic evidence, e.g., XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78); and …. Costello does not clearly teach redirecting to a safe zone; and to redirect the unauthorized user to the safe zone. Cohen teaches redirecting to a safe zone; and the…oracle configured…to redirect the unauthorized user to the safe zone, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include redirecting to a safe zone; and to redirect the unauthorized user to the safe zone, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, for the purpose of allowing the untrusted network device to be monitored while preventing the untrusted network device from performing any malicious activities to the network. Regarding claim 4, Costello in view of Cohen teaches the system of claim 1. Costello does not clearly teach wherein the pulse reader comprising an unauthorized attempt detection module is configured to provide neutral feedback or misleading responses, including portraying incorrect authentication results or prolonging the spoofed connection, upon considering an attempt deemed to be malicious. Cohen further teaches wherein the…reader comprising an unauthorized attempt detection module is configured to provide neutral feedback or misleading responses, including portraying incorrect authentication results or prolonging the spoofed connection, upon considering an attempt deemed to be malicious, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Examiner note: claim 4 indicates the two alternative options of providing neutral feedback or providing misleading responses. The “portraying incorrect authentication results or prolonging the spoofed connection” could be interpreted to be part of either option. The examiner suggests clarifying the claim language. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include wherein the pulse reader comprising an unauthorized attempt detection module is configured to provide neutral feedback or misleading responses, including portraying incorrect authentication results or prolonging the spoofed connection, upon considering an attempt deemed to be malicious, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, using the same motivation as in claim 1. Regarding claim 6, Costello in view of Cohen teaches the system of claim 1, wherein the processor executing instructions for an unauthorized attempt detection module is configured to re-direct the unauthorized user into a safe zone or virtual environment for gathering forensic data, intent, and origin, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Cohen-Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Cohen-Fig. 1, el. 120, 130; Para. 55). Regarding claim 9, Costello in view of Cohen teaches the system of claim 1, wherein the pulse oracle is configured to continuously rotate and reprogram the micro pulses and corresponding values in real-time to remove a progress of brute-force attacks, e.g., responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Costello-Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Costello-Para. 78). Regarding claim 10, Costello in view of Cohen teaches the system of claim 1, wherein the pulse oracle is configured to dynamically change the pulse in real-time to provide resilience against quantum-level attacks without impact on communication quality, e.g., XCVR 89 may vary frequencies and amplitudes of data authentication pulses 202 according to a pseudo random sequence, and/or pulse location within communication signal 200 in which data authentication pulses 202 are inserted according to the pseudo random sequence (Costello-Para. 66); XCVR 79 may decode, responsive to authenticating the one or more pulses as the valid representation of the data, the one or more pulses to obtain the data (Costello-Para. 74); responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Costello-Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Costello-Para. 78). Regarding claim 12, Costello in view of Cohen teaches the system of claim 1. Costello does not clearly teach wherein the pulse oracle comprising an information-gathering module is configured to request the additional intelligence from the unauthorized user as part of a spoofed connection strategy while maintaining a connection. Cohen further teaches wherein the pulse oracle comprising an information-gathering module is configured to request the additional intelligence from the unauthorized user as part of a spoofed connection strategy while maintaining a connection, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Cohen-Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Cohen-Fig. 1, el. 120, 130; Para. 55). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include wherein the pulse oracle comprising an information-gathering module is configured to request the additional intelligence from the unauthorized user as part of a spoofed connection strategy while maintaining a connection, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, using the same motivation as in claim 1. Regarding claim 14, Costello in view of Cohen teaches the system of claim 1. Costello does not clearly teach wherein the processor executing instructions for a redirecting module of the pulse intrusion detection module is configured to re-direct the unauthorized user into a reverse-phishing virtual environment intended to run forensic analysis and capture forensic data on the unauthorized user's origin and intent. Cohen further teaches wherein the processor, e.g., Client device 110, malicious device 120, and/or service provider server 130 may each include one or more processors, memories, and other appropriate components for executing instructions (Cohen-Para. 23), executing instructions for a redirecting module of the…intrusion detection module is configured to re-direct the unauthorized user into a reverse-phishing virtual environment intended to run forensic analysis and capture forensic data on the unauthorized user's origin and intent, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Cohen-Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Cohen-Fig. 1, el. 120, 130; Para. 55). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include wherein the processor executing instructions for a redirecting module of the pulse intrusion detection module is configured to re-direct the unauthorized user into a reverse-phishing virtual environment intended to run forensic analysis and capture forensic data on the unauthorized user's origin and intent, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, using the same motivation as in claim 1. Regarding claim 15, Costello in view of Cohen teaches the system of claim 1, wherein the processor executing instructions for an analytics module of the pulse intrusion detection module is configured to perform analytics to identify additional intelligence about the unauthorized user, e.g., responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Costello-Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Costello-Para. 78); Also note Cohen discloses at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93), and if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Regarding claim 17, Costello teaches a method for detecting digital intrusion and…, comprising: constructing a set of dynamically reprogrammable micro pulses and corresponding values into a pulse and injecting into content, a document, or a communication, e.g., XCVR 89 inserts these secondary digital signals 202 (data authentication pulses 202) into communication signal 200 to obtain encrypted communication signal 204 (Para. 66); an encrypted communication signal 210 that includes a start pulse 206 (which may be similar if not the same as secondary digital signals 202) followed by an 8-bit word in which two pulses include secondary digital signals 202A and 202B, and concluding with a stop pulse 208 (Fig. 9, el. 202A, 202B, 204, 206, 210; Para. 65); XCVR 89 may transmit encrypted communication signal 204 (or 210) to XCVR 79, which may receive encrypted communication signal 204/210, wherein XCVR 79 may determine whether data authentication pulse 202 has been superimposed over at least one of the one or more pulses (Para. 70); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78); enabling a pulse reader, e.g., XCVR 79 (Fig. 2, el. 79); XCVR 89 (Fig. 2, el. 89), to validate the pulse of a valid user or unauthorized user, e.g., XCVR 79 may perform authentication, based on the determination of whether the data authentication pulse has been superimposed over at least one of the one or more pulses of encrypted communication signal 204/210 (Para. 74); responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack (Para. 78); synchronizing the pulse injector with the pulse reader to detect unauthorized access attempts, e.g., XCVR 79 may perform authentication, based on the determination of whether the data authentication pulse has been superimposed over at least one of the one or more pulses of encrypted communication signal 204/210 (Para. 74); responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack (Para. 78); determining whether the pulses are valid or appear in a bad actor list;, e.g., XCVR 79 may perform authentication, based on the determination of whether the data authentication pulse has been superimposed over at least one of the one or more pulses of encrypted communication signal 204/210 (Para. 74); responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78); synchronizing a pulse oracle continuously change the micro pulses and values, e.g., responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78); to generate forensic evidence, e.g., XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78); refuse unauthorized access, e.g., responsive to a failed authentication of the one or more pulses as the valid representation of the data, XCVR 79 may reconfigure the frequency filter to obtain a different subset of the plurality of frequency components (Para. 75); XCVR 79 and XCVR 89 may adapt frequency, amplitudes and dampening factors responsive to detecting a potential cyberattack, and in the event a hacker or other malicious agent spoofs the system and transmits data, XCVR 79 may detect such intrusion and a time of attack, providing a log or other timeline that may facilitate identification the malicious agents (Para. 78); assuming valid authentication of encrypted communication signal 204′, signal processing and decryption unit 402 may output communication signal 200′ to decoding unit 404, which may perform additional decoding to obtain the underlying data (Fig. 10, el. 200’, 204’, 402, 404; Para. 83), and …. Costello does not clearly teach redirecting to a reverse-phishing area to spoof authentication in real-time; and to redirect the unauthorized user to the safe zone for spoof authentication. Cohen teaches redirecting to a reverse-phishing area to spoof authentication in real-time, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55); and to redirect the unauthorized user to the safe zone for spoof authentication, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Costello to include redirecting to a reverse-phishing area to spoof authentication in real-time, and to redirect the unauthorized user to the safe zone for spoof authentication, using the known method of deploying fake interfaces for login to gain additional information from the malicious device, as taught by Cohen, in combination with the pulse protection system of Costello, for the purpose of allowing the untrusted network device to be monitored while preventing the untrusted network device from performing any malicious activities to the network. Regarding claim 20, Costello in view of Cohen teaches the method of claim 17. Costello does not clearly teach a step of providing neutral or deceptive feedback designed to prolong the spoofed connection upon detecting a malicious attempt. Cohen further teaches a step of providing neutral or deceptive feedback designed to prolong the spoofed connection upon detecting a malicious attempt, e.g., at step 414, it is determined whether to authenticate a use of the account based on matching of the dynamic values, and if the dynamic values do not match, authentication may be refused, and/or step-up authentication may be required, wherein if the dynamic value from the received cookie is flagged, the device requesting the login may be monitored and/or honeypot pages may be deployed (Fig. 4A, el. 414; Fig. 6, el. 616; Para. 93); if the dynamic value has been flagged as compromised previously, service provider server 130 may also deploy one or more honeypot traps, such as fake interfaces for login, electronic transaction processing requests, and the like, which may attempt to gain additional information from malicious device 120, wherein this may also include accessing computing logs associated with the login to monitor additional data (Fig. 1, el. 120, 130; Para. 55). Examiner note: claim 20 indicates the two alternative options of p