HONEYPOT IDENTIFICATION METHOD, APPARATUS, DEVICE, AND MEDIUM BASED ON CYBERSPACE MAPPING

DETAILED ACTION Claims 1 and 3-21 remain for examination. The amendment filed 3/2/26 amended claims 1, 6, 14, and 18-21. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 3/2/26 has been entered. Response to Arguments Applicant’s arguments, see pages 11-12 of the amendment filed 3/2/26, with respect to the rejection(s) of claim(s) 1-21 under Seger, Ries, and Sun have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of the newly discovered reference(s) to the Shodan security tool. Claim Rejections - 35 USC § 103 The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action. Claims 1, 3-6, 8-16, & 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over Seger (U.S. Patent 9,716,727) in view of Ries (U.S. Patent Publication 2021/0067553) in view of “Shodan Pentesting Guide) (hereinafter, “Shodan”). Regarding claims 1, 19, and 20: Seger discloses a honeypot identification method, apparatus, and non-transitory computer readable storage medium based on cyberspace mapping, the method comprising: determining one or more open ports corresponding to a target Internet Protocol address (col. 2, line 62 – col. 3, line 10: “For example, a network security audit/scan can be used to identify which computers (e.g., desktop computers, laptop computers, servers, appliances, and/or other computing devices) are on a network, determine which ports are open on a particular computer on the network (e.g., performing port scanning to determine which ports are active/listening on target hosts), and what services are being offered via any such ports”; see also col. 6, lines 3-30, including: “For example, probes can be sent from scanning tool 102 to a target device (e.g., node 118 or another node) of target enterprise network 130. Specifically, scanner 104 generates and sends selected probes to a given target device, and then evaluates the responses to generate a fingerprint that can be used to identify various attributes of the target device, such as an operating system and version, open ports and available services, and/or other attributes. Scanning tool 102 can be configured to examine remote and/or local computers via one or more of a variety of public and/or private networks, including a SAN, LAN, WAN, or combination thereof. For example, scanning system 102 can be configured to interrogate open ports (e.g., open TCP ports, open UDP ports, and/or other open ports) to determine device type, OS type and version, available services, and/or other attributes associated with the target device”); determining a target open port from the one or more open ports (Ibid); and determining system environment information corresponding to the target open port (col. 6, Ibid); determining cyberspace mapping data corresponding to the target Internet Protocol address based on at least the one or more open ports and the system environment information (col. 13, lines 17-36, including “In an example implementation, the translation engine can also map each actual IP address value of each device detected in the Nmap survey results of the target enterprise network to a target IP address in the IP address space associated with the honey network. In some cases, for each device with an actual IPx value in the target enterprise network based on the Nmap survey, results can be mapped to a new target IPy value with the same associated attributes (e.g., device type, OS type and version, application type and version, open port numbers, services on such open ports, etc.) to include in the honey network to be generated”; see also the systems and services table(s) recording the mapping information at col. 13, lines 37-61); and analyzing the cyberspace mapping data to determine a first honeypot identification result corresponding to the target Internet Protocol address (e.g. col. 16, lines 16-35; based on inter alia the targeted IP address and mapping information , the invention identifies the correct honeypot instance to redirect an attacker’s probes to). Seger does not disclose acquiring account login information corresponding to the target open port, a service type corresponding to the target open port being an account login service type; and logging in to a service of the target open port based on the account login information. However, Ries discloses a related computer security related invention using honeypots wherein it was known in the art that honeypots could provide dummy credentials to allow attackers to login in the belief that they were accessing legitimate nodes on the network (paragraphs 0011, 0044-0046, and 0077-0079). It would have been obvious prior to the effective filing date of the instant application for Seger to allow access to the honeynet via dummy login information as disclosed by Ries, as the credentials can be used as bait to lure attackers and collect data about their tactics without compromising real resources (Ries, paragraph 0070). Neither Seger nor Ries explicitly discloses responding to a trigger operation comprising a target Internet Protocol address for which to identify whether the target Internet Protocol address is a honeypot, the target Internet Protocol address being an arbitrary external Internet Protocol address of unknown honeypot status; and wherein the first honeypot identification result identifies whether the target Internet Protocol address is a honeypot. However, Shodan discloses a related invention for detecting and identifying honeypots comprising responding to a trigger operation comprising a target Internet Protocol address for which to identify whether the target Internet Protocol address is a honeypot the target Internet Protocol address being an arbitrary external Internet Protocol address of unknown honeypot status (Shodan: all of page 31, “Honeypot score”; see also page 51 displaying sample code that inter alia takes an arbitrary IP address on the global Internet as an input parameter and produces a result reflecting the probability that the device with that address is a honeypot: “score = api.rest_api.honeypot_score(ip).wait”); and wherein the first honeypot identification result identifies whether the target Internet Protocol address is a honeypot (Shodan, Ibid). It would have been obvious prior to the effective filing date of the instant application for Seger and/or Ries to use their detection and port scanning abilities to determine if the device at a given IP address is a honeypot as disclosed by Shodan, as a person of ordinary skill in the art would have good reason to ensure that honeypots are not easily detectable by attackers; and that if one could easily identify a target device as a honeypot, then one can use that knowledge to improve the honeypot’s decoy ability so that it will not be identified as such in subsequent scans (Shodan, page 31, “2. What’s the purpose? … when trying to catch an intelligent attacker though, many honeypots fall short in creating a realistic environment. Honeyscore was created to raise awareness of the shortcomings of honeypots”). Regarding claim 3: The combination further discloses wherein determining one or more open ports further comprises: performing port open detection on a port set corresponding to the target Internet Protocol address, and determining, in the port set, one or more open ports corresponding to the target Internet Protocol address (Seger, col. 2, line 62 – col. 3, line 10) comprising: transmitting a connection request to a port i in the port set corresponding to the target Internet Protocol address, i being a non-negative integer that is less than a port quantity corresponding to the port set; determining an open status of the port i as an opened state in response to receiving connection confirmation data returned by the port i; and defining a port with the open status in the opened state to be the open port (this being inherent functionality of the Nmap utility at Seger, col. 3, lines 10-37).1 Regarding claim 4: The combination further discloses wherein determining a target open port further comprises: performing fingerprint detection analysis on the target Internet Protocol address and the one or more open ports; acquiring port fingerprint information corresponding to the one or more open ports; and defining, according to a service type in the port fingerprint information, an open port with the service type of the account login service type to be the target open port (Seger, col. 3, lines 10-45; & col. 6, lines 3-30). Regarding claim 5: The combination further discloses wherein acquiring port fingerprint information further comprises: transmitting target data to a target server based on the target Internet Protocol address and the one or more open ports; receiving response data returned by the target server for the target data; performing feature analysis on the response data to obtain a service type corresponding to the one or more open ports; and defining the target Internet Protocol address, the open port, and the service type corresponding to the open port to be the port fingerprint information corresponding to the open port (Seger, Ibid). Regarding claim 6: The combination further discloses wherein defining the open port further comprises: classifying the one or more open ports based on the service type in the port fingerprint information to obtain M open port groups, wherein the open ports comprised within one open port group have a same service type, and M being a positive integer; and determining, in the M open port groups, an open port comprised in an open port group with the service type of the account login service type as the target open port (this being inherent functionality of the Nmap utility at Seger, col. 3, lines 10-37).2 Regarding claim 8: The combination further discloses wherein logging in to a service of the target open port and determining system environment information further comprises: acquiring, by using the logged-in target open port, an instruction execution result indicated by a target operation instruction, and determining the system environment information corresponding to the target open port based on the instruction execution result (Ries, paragraph 0080, particularly subparagraph (2) wherein inter alia API calls made by the attacker after logging in to the honeypot are recorded and logged). Regarding claim 9: The combination further discloses wherein the acquiring the instruction execution result and determining the system environment information further comprises: transmitting a target operation instruction to a target server based on the target Internet Protocol address and the target open port, the target server being configured to execute the target operation instruction; and acquiring an instruction execution result returned by the target server; and determining the system environment information based on the target Internet Protocol address, the target open port, the target operation instruction, and the instruction execution result (Ries, Ibid; see also Seger, col. 13, lines 17-61). Regarding claim 10: The combination further discloses wherein determining the cyberspace mapping data further comprises: combining address key information corresponding to the target Internet Protocol address, the one or more open ports, port fingerprint information corresponding to the one or more open ports, the account login information, and the system environment information into the cyberspace mapping data corresponding to the target Internet Protocol address (Seger, col.10, line 64 – col. 11, line 30). Regarding claim 11: The combination further discloses: analyzing the target Internet Protocol address using an information query interface associated with the target Internet Protocol address (Shodan, e.g. pages 30-32); acquiring geographic area location information, holder information, and a security label corresponding to the target Internet Protocol address (Shodan, Ibid); and defining the geographic area location information, the holder information, and the security label to be the address key information corresponding to the target Internet Protocol address (Shodan, Ibid). Regarding claim 12: The combination further discloses wherein analyzing the cyberspace mapping data further comprises: separately analyzing the cyberspace mapping data by using K honeypot identification policies comprised in an identification policy set to obtain analysis results respectively corresponding to the K honeypot identification policies; and determining a first honeypot identification result corresponding to the target Internet Protocol address based on the obtained analysis results, the K honeypot identification policies identifying different types of honeypots, and K being a positive integer (Ries, paragraph 0138; see also paragraph 0110 for a non-limiting example where K=3). Regarding claim 13: The combination further discloses wherein determining the first honeypot identification result further comprises: defining, when an analysis result corresponding to a honeypot identification policy that exists in the K honeypot identification policies is a honeypot result, the honeypot result to be the first honeypot identification result corresponding to the target Internet Protocol address; and defining, when the analysis results corresponding to the K honeypot identification policies are all undetermined results, the undetermined result to be the first honeypot identification result corresponding to the target Internet Protocol address (Ries, paragraphs 0136-0138). Regarding claim 14: The combination further discloses wherein the K honeypot identification policies comprise a protocol defect determining policy; and wherein separately analyzing the cyberspace mapping data further comprises: acquiring a service protocol corresponding to the target Internet Protocol address from the cyberspace mapping data and transmitting a target command character corresponding to the service protocol to the target server; receiving a protocol response returned by the target server and defining the protocol response to be a protocol defect in response to detecting that the protocol response does not meet a standard response in a protocol standard; determining that an analysis result corresponding to the protocol defect determining policy is a honeypot result in response to the protocol defect meeting a determining condition in the protocol defect determining policy; and determining that the analysis result corresponding to the protocol defect determining policy is an undetermined result in response to the protocol defect does not meeting the determining condition in the protocol defect determining policy (Ries, paragraphs 0051 & 0082; see also Seger at col. 11, lines 10-30, and col. 23, lines 50-60). Regarding claim 15: The combination further discloses wherein the K honeypot identification policies comprise a port open quantity determining policy; and wherein separately analyzing the cyberspace mapping data further comprises: counting, in the cyberspace mapping data, a port open quantity corresponding to the one or more open ports and acquiring a port quantity threshold corresponding to the port open quantity determining policy (Ries, Ibid; Seger, Ibid); determining that an analysis result corresponding to the port open quantity determining policy is a honeypot result in response to the port open quantity being greater than the port quantity threshold (Ibid); and determining that the analysis result corresponding to the port open quantity determining policy is an undetermined result in response to the port open quantity being less than or equal to the port quantity threshold (Ibid; see also Shodan, pages 31 & 51-52). Regarding claim 16: The combination further discloses adding, in response to detecting a target honeypot identification policy, the target honeypot identification policy to the identification policy set; separately performing, in response to obtaining a to-be-identified Internet Protocol address, data analysis on to-be-identified cyberspace mapping data corresponding to the to-be-identified Internet Protocol address by using (K+1) honeypot identification policies in the identification policy set to obtain analysis results respectively corresponding to the (K+1) honeypot identification policies, the (K+1) honeypot identification policy comprising the target honeypot identification policy; and obtaining a second honeypot identification result corresponding to the to-be-identified Internet Protocol address based on the analysis results respectively corresponding to the (K+1) honeypot identification policies (Ries, Ibid; Seger, Ibid). Regarding claim 21: The combination further discloses wherein the responding to the trigger operation further comprises acquiring the target Internet Protocol address from a honeypot detection page, the method further comprising: displaying the first identification result on the honeypot detection page (Shodan, pages 30-32; and Seger, col. 3, lines 10-37 wherein this is inherent functionality of the Nmap utility).3 Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Seger in view of Ries in view of Shodan as applied to claim 1 above, and further in view of McClintock (U.S. Patent 10,574,697). Regarding claim 7: Neither Seger nor Ries nor Shodan discloses wherein acquiring account login information further comprises: combining an account and a password contained in an account and password dictionary to obtain N account and password combinations, N being a positive integer; and separately logging in to the service of the target open port by using the N account and password combinations; and determining the account and password combination with a successful login corresponding to the target open port. However, McClintock discloses a related invention for honeypots wherein these limitations were known in the art, and that an attacker can be redirected toward a honeypot when it is determined that said attacker is guessing via brute force a plurality of account and password combinations (McClintock, col. 2, lines 35-53). It would have been obvious prior to the effective filing date of the instant application for the honeypot networks of Seger and/or Ries to recognize brute force guessing of accounts and passwords, as this was a well-known tactic in the art (McClintock, col. 1, lines 5-20), and the ability to reroute such attempts to a honeypot would achieve the predictable result of protecting one’s network by redirecting the attacker to somewhere where they can do no damage while having their activity logged (McClintock, col. 2, lines 1-16). Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Seger in view of Ries in view of Shodan as applied to claim 1 above, and further in view of Chinese Patent Publication CN 105488389 A (hereinafter, “Wang”). Regarding claim 17: The combination further discloses: writing the cyberspace mapping data and the first honeypot identification result into a first database, the first database serving as a primary database and providing a read/write service (the tables of Seger, col. 11, lines 1-30); however, neither Seger nor Ries nor Shodan discloses synchronously backing up data stored in the first database to a second database; disabling the read/write service of the first database in response to a failure of the first database, switching the second database to the primary database that provides the read/write service, and interrupting data synchronization backup between the first database and the second database; and synchronously backing up data stored in the second database to the first database in response to the first database restoring functionality. However, Wang discloses a related invention for using honeypots wherein these limitations are taught (page 2, “invention contents”: “The invention claims a honey database updating and restoration method and system, the technical solution of the invention is provided with a backup database, the initial data database the same as honeypot; after processing the real service data for the incremental data can be updated to honeypots the database and backup database, so that the attacker can feel the updated data when it is intruded honeypot database, making the trust the honeypots database is a real service data, and for further operation. after the honeypots database is an attacker changes, then it can copy and backup database to form a new honeypots database is put into use, the consumed time is far less than the prior art” and page 3, 1st paragraph: “if the background receives the reduction request, deleting the raw honey pot database and the backup database replication to form a new honeypots database, and configuring a new honeypots database authority based on the raw honey pot database and the new honeypots database is put into use.”) It would have been obvious prior to the effective filing date of the instant application for Seger and/or Ries to be able to backup and restore the honeypot networks of those inventions, as doing so helps convince attackers that the honeypot is real (Wang, page 2, Ibid; see also page 6, 1st paragraph). Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Seger in view of Ries in view of Shodan as applied to claim 1 above, and further in view of Chinese Patent Publication CN 111953671 A (hereinafter, “Fan”). Regarding claim 18: The combination further discloses: acquiring system behavior information associated with the target Internet Protocol address and generating a behavior log based on the system behavior information (the services table of Seger, e.g. col. 11, lines 1-30); however, neither Seger nor Ries nor Shodan discloses uploading the behavior log to a blockchain system, a blockchain node in the blockchain system being used for encapsulating the behavior log into a transaction block, and performing accounting processing on a transaction block for which consensus is reached; and receiving on-chain success information returned by the blockchain and storing a file hash of the behavior log in the blockchain system in a local database based on the on-chain success information, the file hash indicating a storage location of the behavior log. However, Fan discloses a related invention for using honeypots wherein these limitations are taught (page 3, 3rd paragraph: “The embodiment of the invention claims a dynamic honey net data processing method and system based on block chain, each probe node after monitoring the abnormal access flow, the abnormal access flow to the honeypot node, and based on abnormal access flow and node information of the honeypot node to generate abnormal flow packet, the packing node receives the abnormal flow packet sent by each probe node, and generates new block based on abnormal flow packet received in the preset time period, and broadcasts the new block to a plurality of verification nodes, a plurality of verification nodes verify the new block based on consensus mechanism, and the new block of the verification is passed through the verification, realizing to store abnormal access flow through block chain, which can effectively prevent the attacker by using the ODAY vulnerability or advanced attack means to delete the access flow of the attacker, improving the security of the data”; see also pages 4-5 for the descriptions of steps S102 and S103 of Figure 2, wherein the claimed details of the blockchain are explicitly disclosed). It would have been obvious prior to the effective filing date of the instant application for Seger and/or Ries to incorporate blockchain functionality into their honeypot networks, as doing so addresses some of the weaknesses of static honeypots (see Fan, page 2, “Background, 2nd paragraph”; and “Contents of the Invention”, 1st paragraph). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure, each of which further describe the Shodan tool: “Shodan CLI 101” (Jie Liau) “Shodan Honeyscore Client – Metasploit” (InfosecMatter) “Honeypot, a tool to know your enemy” (Incibe) [see page 2] Any inquiry concerning this communication or earlier communications from the examiner should be directed to Thomas A Gyorfi whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at 571-270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. THOMAS A. GYORFI Examiner Art Unit 2435 /THOMAS A GYORFI/Examiner, Art Unit 2435 3/19/2026 1 See also the Lyon reference, page 44, “1.2 Nmap Overview and Demonstration”, including “The default is to scan only ports one through 1024, plus about 600 others explicitly mentioned in the nmap-services database. This option format is simply a short cut for -p1-65535” 2 See also the Lyon reference, pages 228-229, “5.10.4 Idle Scan Implementation Algorithms” including “Nmap can scan groups of up to 100 ports in parallel. If Nmap probes a group then finds that the zombie IP ID has increased <N> times, there must be <N> open ports among that group. Nmap then finds the open ports with a binary search”. 3 See the Lyon reference, Chapter 12 regarding the use of the graphical user interface for interacting with, and displaying the results of, the Nmap tool; including inter alia page 478, “12.3.1 Scan Results Tabs” and page 480 “The Host Details Tab” regarding the ability to display the results of a target IP address scan.