DETAILED ACTION
Claims 1-14 are presented for examination. Claim 15 is restricted
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 02/02/2026 has been entered.
Claim 15 withdrawn from further consideration pursuant to 37 CFR 1.142(b) as being drawn to a nonelected invention “log interactions, commands, and attempted exploits observed at the simulation or emulation; and share metadata associated with the logged interactions, commands, and attempted exploits with at least one other of the plurality of distributed network sensor nodes for correlation.”, there being no allowable generic or linking claim. Election was made without traverse in the reply filed on 02/02/2026.
Priority
Applicant has not complied with one or more conditions for receiving the benefit of an earlier filing date under 35 U.S.C. 119(e) as follows:
The later-filed application must be an application for a patent for an invention which is also disclosed in the prior application (the parent or original non-provisional application or provisional application); the disclosure of the invention in the parent application and in the later- filed application must be sufficient to comply with the requirements of the first paragraph of 35' U.S.C. 112. See Transco Products, Inc. v. Performance Contracting, Inc., 38 F.3d 551,32 USPQ2d 1077 (Fed. Cir. 1994). In the present application, support for the following limitations is lacking in the provisional applications:
The limitation, “A system for deception- based cybersecurity using distributed sensor nodes, comprising: a plurality of network traffic sensors each configured to monitor visible network traffic, analyze the monitored traffic to identify patterns, communicate with other network sensors to correlate their respective traffic data, produce a threat landscape based on the correlated traffic data, identify a potential cybersecurity threat based on the threat landscape, and export the analyzed traffic and threat landscape for use by external systems” are not supported by claimed priority, examiner will consider the priority date back to provisional application dated: 12/07/2017.
Double Patenting
The no statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321 (c) or 1.321 (d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement.
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
Claims 1 and 8 provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of copending Application No. 18/336,873. See the table below:
U.S. Patent No. 18/336,873
Instant Application
1.A system for network traffic classification using distributed sensor nodes, comprising:
a plurality of network traffic sensors each comprising a plurality of programming instructions stored in a memory of, and operating on a processor of, a respective computing device, wherein each plurality of programmable instructions, when operating on the processor, cause the respective computing device to:
monitor visible network traffic;
analyze the traffic to identify a plurality of patterns, wherein the analysis comprises analysis of a plurality of traffic sources and destinations;
communicate with at least one other of the plurality of network traffic sensors to correlate the identified plurality of patterns with the respective identified patterns of the at least one other network traffic sensor;
produce a threat landscape, wherein the threat landscape comprises a plurality of identified traffic patterns;
identify a plurality of potential cybersecurity threats based on the threat landscape; and
export the analyzed traffic data and the threat landscape for use by external systems.
2. The system of claim 1, wherein the network traffic sensor is configured to operate a network-accessible software service.
3. The system of claim 2, wherein a potential cybersecurity threat is identified based on traffic involving the network-accessible software service.
1.A system for deception-based cybersecurity using distributed sensor nodes, comprising:
a plurality of network traffic sensors each comprising a plurality of programming instructions stored in a memory of, and operating on a processor of, a respective computing device, wherein each plurality of programmable instructions, when operating on the processor, cause the respective computing device to:
monitor visible network traffic;
analyze the traffic to identify a plurality of patterns, wherein the analysis comprises analysis of a plurality of network interactions, commands executed, and attempted exploits;
communicate with at least one other of the plurality of network traffic sensors to correlate the identified plurality of patterns with the respective identified patterns of the at least one other network traffic sensor;
produce a threat landscape, wherein the threat landscape comprises a plurality of identified traffic patterns;
identify a plurality of potential cybersecurity threats based on the threat landscape; and
export the analyzed traffic data and the threat landscape for use by external systems.
2. The system of claim 1, further comprising a network module comprising a second plurality of programming instructions stored in the memory of, and operating on the processor of, the respective computing device, wherein the second plurality of programmable instructions, when operating on the processor, cause the respective computing device to: receive the traffic, the traffic being associated with a network service; analyze the traffic to determine a destination network service associated with the traffic; emulate the destination network service and forward the traffic to the emulated destination network service; and monitor and log the network interactions.
3. The system of claim 1, further comprising a web module comprising a third plurality of programming instructions stored in the memory of, and operating on the processor of, the respective computing device, wherein the third plurality of programmable instructions, when operating on the processor, cause the respective computing device to: receive the traffic, the traffic being associated with a web service; analyze the traffic to determine a destination web service associated with the traffic; emulate the destination web service and forward the traffic to the emulated destination web service; and monitor and log web interaction data.
4. The system of claim 1, further comprising an internet-of-things module comprising a fourth plurality of programming instructions stored in the memory of, and operating on the processor of, the respective computing device, wherein the fourth plurality of programmable instructions, when operating on the processor, cause the respective computing device to: connect to an Internet-of-Things (IoT) device; determine an IoT protocol or service associated with the IoT device; emulate the IoT protocol or service; and monitor and log commands executed and exploits attempted within the emulation.
5. The system of claim 1, further comprising a vulnerability module comprising a fifth plurality of programming instructions stored in the memory of, and operating on the processor of, the respective computing device, wherein the fifth plurality of programmable instructions, when operating on the processor, cause the respective computing device to: simulate a known vulnerability or weakness to attract an attacker; receive the traffic, the traffic being associated with the attacker; and monitor and log commands executed exploits attempted by the attacker as the attacker interacts with simulated vulnerability or weakness.
6. The system of claim 1, wherein the plurality of network interactions, commands executed, and attempted exploits are received from an emulation engine, the emulation engine comprising one or more modules configured to operate as a lightweight honeypot.
7. The system of claim 6, wherein the plurality of network interactions, commands executed, and attempted exploits are logged during monitored interactions between an attacker and an emulated service or emulated application.
This is a provisional nonstatutory double patenting rejection.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims1 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Gassoway et al. (US Patent No. 8042180) (Hereinafter Gassoway) in view of Marck et al. (US Patent Application No. 20130291107) (Hereinafter Marck) in further view of Chowdhury et al. (US Patent Application No. 20150205966) (Hereinafter Chowdhury).
As per claim 1, Gassoway discloses a system for deception-based cybersecurity using distributed network sensor nodes, comprising:
a plurality of distributed network sensor nodes each comprising a plurality of programming instructions stored in a memory of, and operating on a processor of, a respective computing device, wherein each plurality of programmable instructions, when operating on the processor, cause the respective computing device to (col 2, lines 26-32):
analysis of a plurality of traffic sources and destinations (col 2, lines 26-32);
communicate with at least one other of the plurality of distributed network sensor nodes to exchange one or more identified patterns and correlate the identified patterns across the network sensor nodes;
produce a threat landscape based on the corelated patterns, wherein the threat landscape comprises data structures mapping relationships among sources, destination services or protocols, entities and temporal correlations (col 3, lines 36-67);
identify a plurality of potential cybersecurity threats based on the threat landscape (col 4, lines 25-59); and
export data associated with the analyzed received network traffic and the threat landscape to an external cybersecurity system configured to filter or de-noise network traffic and to dynamically update cybersecurity policies (col 5, line 65 to col 6, line 17) .
Gassoway does not explicitly disclose threat landscape and patterns. However, Marck discloses threat landscape and patterns (para 33, flagging statistically dissimilar transaction patterns as potentially suspect. … threat landscape).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gassoway and Marck. The motivation would have been to build the network that provide endpoint security solutions (both hardware and software based).
Gassoway in view of Marck does not disclose simulate or emulate a network system or service that is available to be accessed by one or more attacking devices;
monitor network traffic from the one or more attacking devices, wherein the received network traffic is received based on the simulated network system or service;
analyze the received network traffic to identify a plurality of patterns, comprising sequences of network interactions,
commands executed, and attempted exploits by the one or more attacking devices.
Chowdhury discloses simulate or emulate a network system or service that is available to be accessed by one or more attacking devices (para 17, The ICS Emulator for Malware Analysis may be used by individuals or companies to determine if malware is attacking ICS devices.);
monitor network traffic from the one or more attacking devices, wherein the received network traffic is received based on the simulated network system or service (para 18, 25, 29, device 200 monitors malware. For example, the malware may be detected and communicated to the emulator. The detection may be automated by a malware detection tool.) ;
analyze the received network traffic to identify a plurality of patterns, comprising sequences of network interactions (para 32-40, may analyze and determine data types by object groups being communicated by the malware to the ICS device. The determined group object may be stored in block 145. The malware communication may comprise, for example, but not be limited to),
commands executed, and attempted exploits by the one or more attacking devices (para 40-57, the malware may attempt to cause the ICS device to perform at least one of the following actions).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gassoway and Marck with Chowdhury. The motivation would have been to build the network that provide endpoint security solutions (both hardware and software based).
The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims.
As per claim 2, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Chowdhury discloses further comprising a network module comprising a second plurality of programming instructions stored in the memory of, and operating on the processor of, the respective computing device, wherein the second plurality of programmable instructions, when operating on the processor, cause the respective computing device to:
receive the network traffic from the one or more attacking device, the network traffic being associated with the simulated or emulated network system or service (para 17, The ICS Emulator for Malware Analysis may be used by individuals or companies to determine if malware is attacking ICS devices.);
analyze the received network traffic to determine a destination network service associated with the received network traffic (para 32-40, may analyze and determine data types by object groups being communicated by the malware to the ICS device. The determined group object may be stored in block 145. The malware communication may comprise, for example, but not be limited to);
simulate or emulate the destination network service and forward the received network traffic to the simulated or emulated destination network service (para 24, During the verification process, the simulation malware may be configured to perform various malicious acts in various controlled testing environments. Para 25, these malicious acts performed by the simulation malware may be directed against the actual ICS devices in a first malware attack); and
monitor and log interactions between the one or more attacking devices and the simulated or emulated destination network or service (para 40-57, the malware may attempt to cause the ICS device to perform at least one of the following actions).
As per claim 3, claim is rejected for the same reasons and motivation as claim 2, above. In addition, Gassoway discloses further comprising a web module comprising a third plurality of programming instructions stored in the memory of, and operating on the processor of, the respective computing device, wherein the third plurality of programmable instructions, when operating on the processor, cause the respective computing device to: receive the traffic, the traffic being associated with a web service (col 2, lines 26-32, a monitoring unit for monitoring network traffic from one or more devices, an analyzing unit for analyzing the network traffic to determine the presence of a malicious program in the one or more devices);
analyze the received network traffic to determine a destination web service associated with the received network traffic (col 2, lines 26-32, a monitoring unit for monitoring network traffic from one or more devices, an analyzing unit for analyzing the network traffic to determine the presence of a malicious program in the one or more devices); and
monitor and log web interaction data between the one or more attacking devices and the simulated or emulated web service (col 2, lines 26-32, a monitoring unit for monitoring network traffic from one or more devices, an analyzing unit for analyzing the network traffic to determine the presence of a malicious program in the one or more devices).
Chowdhury discloses simulate or emulate the destination web service and forward the received network traffic to the simulated or emulated destination web service (para 24, During the verification process, the simulation malware may be configured to perform various malicious acts in various controlled testing environments. Para 25, these malicious acts performed by the simulation malware may be directed against the actual ICS devices in a first malware attack) .
As per claim 4, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Chowdhury discloses further comprising an internet-of-things module comprising a fourth plurality of programming instructions stored in the memory of, and operating on the processor of, the respective computing device, wherein the fourth plurality of programmable instructions, when operating on the processor, cause the respective computing device to:
receive the network traffic from the one or more attacking devices, the network traffic
being associated with an Internet-of-Things (IoT) device (para 7, The emulation may be employed to determine, for example, if there exist any vulnerabilities within the industrial control device configuration. The vulnerabilities may make the industrial device vulnerable to, for example, malware attacks. The emulation may be employed for any useful purpose, functional equivalent);
connect to the device (para 71, Computing device may also contain a communication connection that may allow device to communicate with other computing devices);
monitor (para 29, monitor) and log commands executed and exploits attempted by the one or more attacking devices within the simulation or emulation of the IOT protocol or service (para 19, a communication protocol being used to communicate with the device, data types by object groups, and what function the malware may be attempting to perform on the device; para 17, The ICS Emulator for Malware Analysis may be used by individuals or companies to determine if malware is attacking ICS devices).
determine an IoT protocol or service associated with the IoT device (para 31, determine a communication protocol used by the malware to communicate with the ICS device);
emulate the IoT protocol or service (para 29, malware may be automatically communicated to the emulator; para 31, determine a communication protocol used by the malware to communicate with the ICS device).
As per claim 5, claim is rejected for the same reasons and motivation as claim 2, above. In addition, Gassoway discloses further comprising a vulnerability module comprising a fifth plurality of programming instructions stored in the memory of, and operating on the processor of, the respective computing device, wherein the fifth plurality of programmable instructions, when operating on the processor, cause the respective computing device to:
receive the network traffic from the one or more attacking devices, the traffic being associated with the attacker (col 2, lines 26-32, a monitoring unit for monitoring network traffic from one or more devices, an analyzing unit for analyzing the network traffic to determine the presence of a malicious program in the one or more devices); and
monitor and log commands executed and exploits attempted by the one or more attacking devices as the one or more attacking devices interacts with the simulated known vulnerability or weakness(col 2, lines 26-32, a monitoring unit for monitoring network traffic from one or more devices, an analyzing unit for analyzing the network traffic to determine the presence of a malicious program in the one or more devices).
Chowdhury discloses simulate a known vulnerability or weakness to attract the one or more attacking devices (para 19, a communication protocol being used to communicate with the device, data types by object groups, and what function the malware may be attempting to perform on the device; para 17, The ICS Emulator for Malware Analysis may be used by individuals or companies to determine if malware is attacking ICS devices).
As per claim 6, claim is rejected for the same reasons and motivation as claim 2, above. In addition, Chowdhury discloses wherein the plurality of network interactions, commands executed, and attempted exploits are received from an emulation engine, the emulation engine comprising one or more modules configured to operate as a lightweight honeypot (para 19, a communication protocol being used to communicate with the device, data types by object groups, and what function the malware may be attempting to perform on the device; para 17, The ICS Emulator for Malware Analysis may be used by individuals or companies to determine if malware is attacking ICS devices).
As per claim 7, claim is rejected for the same reasons and motivation as claim 2, above. In addition, Gassoway discloses wherein the plurality of network interactions, commands executed, and attempted exploits are logged during monitored interactions between the one or more attacking devices and the emulated network system or service or an emulated application provided by the emulation engine (fig 48 a, para 531, the event may be logged).
As per claims 8-14, claims are rejected for the same reasons and motivations as claims 2-7, above.
Response to Arguments
Response to Arguments
Applicant's arguments filed 02/02/2026 have been fully considered but they are not persuasive, therefore rejections to claims 1-14 is maintained.
In the remarks applicants argued that:
Argument: Chowdhury does not disclose simulate or emulate a network system or service that is available to be accessed by one or more attacking devices; monitor network traffic from the one or more attacking devices, wherein the received network traffic is received based on the simulated network system or service ; analyze the received network traffic to identify a plurality of patterns, comprising sequences of network interactions, commands executed, and attempted exploits by the one or more attacking devices.
Response: Chowdhury discloses simulate or emulate a network system or service that is available to be accessed by one or more attacking devices (para 17-25 , The ICS Emulator that is designed to interact with malware for Malware Analysis to determine if malware is attacking ICS devices and the for testing /analysis , para 23, “ the software may then be used to emulate the actual ICS devices; para 25, discuss how malicious act performed “he simulation malware may be employed to perform the malicious acts”, against these emulators to document the behavior.);
monitor network traffic from the one or more attacking devices, wherein the received network traffic is received based on the simulated network system or service (para 18, 25, 28, 29, 30 device 200 monitors malware. For example, the malware may be detected and communicated to the emulator. The detection may be automated by a malware detection tool.; para 28,computing device 200 may be employed in the performance of some or all of the stages of method 100; para 29, computing device 200 monitors malware… the malware may be inputted manually to the emulator for analysis or may be automatically analyzed ) ;
analyze the received network traffic to identify a plurality of patterns, comprising sequences of network interactions (para 32-40, may analyze and determine data types by object groups being communicated by the malware to the ICS device. The determined group object may be stored in block 145. The malware communication may comprise, for example, but not be limited to; para 18 , behavior ana lysis, para 25 malicious act),
commands executed, and attempted exploits by the one or more attacking devices (para 40-57, the malware may attempt to cause the ICS device to perform at least one of the following actions; para 18, the malware interacts; para 24, he simulation malware may be configured to perform various malicious acts in various controlled testing environments).
Conclusion
Please see the attached PTO-892 for the prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD A SIDDIQI whose telephone number is (571)272-3976. The examiner can normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached at 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MOHAMMAD A SIDDIQI/Primary Examiner, Art Unit 2493